| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: logical replication access control patches |
| Date: | 2017-02-18 23:06:07 |
| Message-ID: | 20170218230607.GZ9812@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter,
* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> 0002 Add PUBLICATION privilege
>
> Add a new privilege kind to tables to determine whether they can be
> added to a publication.
I'm not convinced that it really makes sense to have PUBLICATION of a
table be independent from the rights an owner of a table has. We don't
allow other ALTER commands on objects based on GRANT'able rights, in
general, so I'm not really sure that it makes sense to do so here.
The downside of adding these privileges is that we're burning through
the last few bits in the ACLMASK for a privilege that doesn't really
seem like it's something that would be GRANT'd in general usage.
I have similar reservations regarding the proposed SUBSCRIPTION
privilege.
I'm certainly all for removing the need for users to be the superuser
for such commands, just not sure that they should be GRANT'able
privileges instead of privileges which the owner of the relation or
database has.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2017-02-18 23:08:33 | Re: Allow pg_dumpall to work without pg_authid |
| Previous Message | Petr Jelinek | 2017-02-18 23:05:42 | Re: Provide list of subscriptions and publications in psql's completion |