Re: Predefined role pg_maintenance for VACUUM, ANALYZE, CHECKPOINT.

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>
Cc: Jeff Davis <pgsql(at)j-davis(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Robert Haas <robertmhaas(at)gmail(dot)com>, "Bossart, Nathan" <bossartn(at)amazon(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Bharath Rupireddy <bharath(dot)rupireddyforpostgres(at)gmail(dot)com>
Subject: Re: Predefined role pg_maintenance for VACUUM, ANALYZE, CHECKPOINT.
Date: 2021-11-08 17:53:44
Message-ID: 20211108175343.GJ20998@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Alvaro Herrera (alvherre(at)alvh(dot)no-ip(dot)org) wrote:
> On 2021-Nov-08, Stephen Frost wrote:
>
> > * Alvaro Herrera (alvherre(at)alvh(dot)no-ip(dot)org) wrote:
>
> > > That said, if the list is short, then additional predefined roles seem
> > > preferrable to having a ton of infrastructure code that might be much
> > > more clutter than what seems a short list of additional predefined roles.
> >
> > None of this strikes me as a 'ton of infrastructure code' and so I'm not
> > quite sure I'm following the argument being made here.
>
> I was referring specifically to Andres' idea of having additional DDL
> commands handled as special GRANTable privileges,
> https://postgr.es/m/20211104224636.5qg6cfyjkw52rh4d@alap3.anarazel.de

Ah, thanks, I had seen that but didn't quite associate it to this
comment.

Perhaps not a surprise, but I tend to favor predefined roles for these
kinds of things. If we do want to revamp how GRANT works, I'd argue for
first splitting up the way we handle privileges to be on a
per-object-type basis and once we did that then we could extend that to
allow GRANT on commands more easily (and with more variety as to what
privileges a GRANT on a command could be). It's kind of cute to have
one bitmap covering all objects but it puts us into a place where
extending what can be GRANT'd on one kind of object necessarily impacts
our ability to GRANT on other kinds (eg: we have a bit reserved for
TRUNCATE in the same bitmask for a schema as we do for a table, but we
don't allow TRUNCATE on schemas and probably never will).

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2021-11-08 18:38:53 Re: CREATE ROLE IF NOT EXISTS
Previous Message Robert Haas 2021-11-08 17:49:52 Re: removing global variable ThisTimeLineID