| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Natalie Wenz <nataliewenz(at)ebureau(dot)com> |
| Cc: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: postgres_fdw user mapping and role inheritance |
| Date: | 2015-07-17 17:59:05 |
| Message-ID: | 28968.1437155945@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Natalie Wenz <nataliewenz(at)ebureau(dot)com> writes:
> Oh! Of course! The local database doesn't know anything about the role privileges on the remote database, so the information isn't even available on the local database to somehow take the union of all the privileges of foo and bar because they are defined on the remote database. Thanks for responding. I got so wrapped up in our simple use case (where any individual_user in the local_group would connect to foreign_server as the same foreign_user) and couldn't come up with a counter example.
> For our use case, can you think of any other way to do it besides creating a user mapping for every member of local_group? Gilberto's suggestion of setting the session authorization (I think?) won't work because the individual_users don't have privileges to set that. ("ERROR: permission denied to set session authorization")
Would it work for them to do SET ROLE to the group whose mapping they want
to use? IIRC that's allowed for any member of the group. The problem
with this is that their privileges for local operations are also affected,
so maybe that doesn't help you.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Campbell, Lance | 2015-07-20 10:51:40 | pg_dump error |
| Previous Message | Natalie Wenz | 2015-07-17 17:51:37 | Re: postgres_fdw user mapping and role inheritance |