Re: Additional role attributes && superuser review

On Thu, Oct 16, 2014 at 11:24 AM, Alvaro Herrera
<alvherre(at)2ndquadrant(dot)com> wrote:
> Stephen Frost wrote:
>> * Petr Jelinek (petr(at)2ndquadrant(dot)com) wrote:
>> > On 15/10/14 07:22, Stephen Frost wrote:
>> > > First though, the new privileges, about which the bikeshedding can
>> > > begin, short-and-sweet format:
>> > >
>> > > BACKUP:
>> > > pg_start_backup()
>> > > pg_stop_backup()
>> > > pg_switch_xlog()
>> > > pg_create_restore_point()
>> >
>> > As others have commented, I too think this should support pg_dump.
>>
>> I'm uttly mystified as to what that *means*. Everyone asking for it is
>> great but until someone can define what "support pg_dump" means, there's
>> not much progress I can make towards it..
>
> To me, what this repeated discussion on this particular BACKUP point
> says, is that the ability to run pg_start/stop_backend and the xlog
> related functions should be a different privilege, i.e. something other
> than BACKUP; because later we will want the ability to grant someone the
> ability to run pg_dump on the whole database without being superuser,
> and we will want to use the name BACKUP for that. So I'm inclined to
> propose something more specific for this like WAL_CONTROL or
> XLOG_OPERATOR, say.

I'm a little nervous that we're going to end up with a whole bunch of
things with names like X_control, Y_operator, and Z_admin, which I
think is particularly bad if we end up with a mix of styles and also
bad (though less so) if we end up just tacking the word "operator"
onto the end of everything.

I'd suggest calling these capabilities, and allow:

GRANT CAPABILITY whatever TO somebody;

...but keep extraneous words like "control" or "operator" out of the
capabilities names themselves. So just wal, xlog, logfile, etc.
rather than wal_operator, xlog_operator, logfile_operator and so on.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company