| From: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Noah Misch <noah(at)leadboat(dot)com>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "chap(at)anastigmatix(dot)net" <chap(at)anastigmatix(dot)net>, torikoshia <torikoshia(at)oss(dot)nttdata(dot)com> |
| Subject: | Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) |
| Date: | 2021-07-26 20:25:29 |
| Message-ID: | 6E892218-B431-4BAE-9E2D-8DF3741A58EA@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On Jul 26, 2021, at 1:12 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> Alice should not be permitted to preventing Bob
> from doing something which Bob is allowed to do and Alice is not
> allowed to do.
That sounds intuitively reasonable, though it depends on what "which Bob is allowed to do" means. For instance, if Alice is only allowed to enable or disable connections to the database, and she disables them, then she has prevented Bob from, for example, creating tables, something which Bob is otherwise allowed to do, because without the ability to connect, he cannot create tables.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-07-26 20:27:05 | Re: Removing "long int"-related limit on hash table sizes |
| Previous Message | Tom Lane | 2021-07-26 20:24:46 | Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) |