From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Noah Misch <noah(at)leadboat(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Additional role attributes && superuser review |
Date: | 2016-01-04 20:07:41 |
Message-ID: | 20160104200741.GF3685@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Tue, Dec 29, 2015 at 5:35 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Noah Misch (noah(at)leadboat(dot)com) wrote:
> >> > Updated patch attached. I'll give it another good look and then commit
> >> > it, barring objections.
> >>
> >> This thread and its satellite[1] have worked their way through a few designs.
> >> At first, it was adding role attributes, alongside existing attributes like
> >> REPLICATION and BYPASSRLS. It switched[2] to making pg_dump preserve ACLs on
> >> system objects. Built-in roles joined[3] the pg_dump work to offer predefined
> >> collections of ACL grants. Finally, it dropped[4] the pg_dump side and
> >> hard-coded the roles into the features they govern.
> >
> > Correct, after quite a bit of discussion and the conclusion that, while
> > pg_dump support for dumping ACLs might be interesting, it was quite a
> > bit more complex an approach than this use-case justified.
>
> Hmm. I don't think I agree with that conclusion. Who were the
> participants in that discussion, and how many people spoke in favor
> from moving on from that proposal - which I rather liked - to what
> you've got now? Do you have links to the relevant portion of the
> relevant thread?
I'm not sure it's entirely relevant now- I've outlined the reasoning in
my email to Noah as a, hopefully, pretty comprehensive summary. If that
doesn't sway your minds then it seems unlikely that a reference to a
thread from 6 months or a year ago would. Further, as happens, other
discussions were in person where I discussed the ideas with other
hackers at conferences. I got generally positive responses to the idea
of default roles with specific sets of rights, which is the path that
I've been on since. As with most decisions, there was not a formal vote
over the proposals for me to reference. I do specifically recall the
opinion that sets of privileges probably make more sense than granting
out individual ones, from Tom, if I'm remembering correctly.
In any case, I can work on the pg_dump support for catalog ACLs if there
is agreement now on that being the direction to go in. If there's
agreement that we are happy with the idea of default roles also then I
can strip out those few which are only one-permission and which
therefore wouldn't be necessary, if we had ACL support on catalog
objects, quite easily.
> I think it's not a very good thing if we add roles that allow, say,
> execution of exactly one SQL function. The
> dump-grants-on-system-objects proposal would accomplish the same thing
> in a much more flexible way, and with less catalog clutter.
For my 2c, I don't see a default role or two as creating terribly much
clutter. Changing all of our code that currently has internal checks to
rely on the external checks and adjusting the permissions on the
individual functions will be a fair bit of churn though.
> More
> broadly, I'm not very convinced that even the roles which allow for
> rights on multiple objects are going to meet with general approval.
There's been rather little oposition to the idea and support when I've
discussed it. Of course, that was before it got to the point where I
was planning to commit it. Perhaps there will be once it's actually in,
or maybe not until it's in the wild. In any case, I continue to feel,
as others have, that we can make adjustments moving forward.
> There has been enough discussion of which roles should be created and
> which things should be included in each one, and the overall tenor of
> that discussion seems to be that different people have different
> ideas.
Michael had a question about pg_switch_xlog, but he appeared to
reconsider that position after the subsequent discussion, which put us
back to essentially the same proposal that I started with, I believe. I
don't recall terribly much other discussion or concern about what roles
should be created or what should be included in each one, though I'd be
happy to hear your thoughts on what you'd like to see.
I certainly don't like the idea of punting on all of this to the user to
figure out, even if it does meet the specific requirements our clients
have asked for, it strikes me that we can do better.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2016-01-04 20:13:43 | Re: Broken lock management in policy.c. |
Previous Message | Alvaro Herrera | 2016-01-04 20:05:56 | Re: remove wal_level archive |