Re: Additional role attributes && superuser review

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Additional role attributes && superuser review
Date: 2015-03-05 16:42:57
Message-ID: 20150305164257.GA29780@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Peter Eisentraut (peter_e(at)gmx(dot)net) wrote:
> On 2/28/15 10:10 PM, Stephen Frost wrote:
> > * Adam Brightwell (adam(dot)brightwell(at)crunchydatasolutions(dot)com) wrote:
> >> I have attached and updated patch for review.
> >
> > Thanks! I've gone over this and made quite a few documentation and
> > comment updates, but not too much else, so I'm pretty happy with how
> > this is coming along. As mentioned elsewhere, this conflicts with the
> > GetUserId() to has_privs_of_role() cleanup, but as I anticipate handling
> > both this patch and that one, I'll find some way to manage. :)
> >
> > Updated patch attached. Barring objections, I'll be moving forward with
> > this soonish. Would certainly appreciate any additional testing or
> > review that you (or anyone!) has time to provide.
>
> Let's move this discussion to the right thread.

Agreed.

> Why are we not using roles and function execute privileges for this?

There isn't a particular reason not to, except that the existing checks
are in C code and those would need to be removed and the permission
changes done at initdb time to revoke EXECUTE from PUBLIC for these
functions. Further, as you pointed out, we'd need to dump out the
permissions for the catalog tables and functions with this approach. I
don't expect that to be too difficult to do though.

Thanks!

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2015-03-05 16:49:07 Re: CATUPDATE confusion?
Previous Message Stephen Frost 2015-03-05 16:39:55 Re: Proposal: knowing detail of config files via SQL