Re: pg_basebackup issue

On 04/22/2017 08:04 PM, chiru r wrote:
> Use case: Want to control database privileges/default roles by creating
> roles instead of granting directly to users.
> So that we can manage database access control easily.

Which you can do. However, pg_basebackup is a cluster wide command not
tied a particular database, so database privileges do not apply. You can
still manage it by restricting the roles able to connect to
'replication' in pg_hba.conf and creating roles that match that have
only the replication attribute. It is why the replication attribute was
added to role creation.

>
> Thanks,
> Chiru
>
> On Sat, Apr 22, 2017 at 10:03 PM, David G. Johnston
> <david(dot)g(dot)johnston(at)gmail(dot)com <mailto:david(dot)g(dot)johnston(at)gmail(dot)com>> wrote:
>
> On Saturday, April 22, 2017, chiru r <chirupg(at)gmail(dot)com
> <mailto:chirupg(at)gmail(dot)com>> wrote:
>
> Thank you Adrian.
>
> It seems the code is allowing only who has Superuser/Replication
> role directly.
>
> Is there any possibility in future releases they allow both case
> A & B Users able to use pg_basebackup.
>
>
> It does not seem wise to introduce inheritance of such
> powerful capabilities when for many years now we have not done so.
> It seems like reality could be better documented but the present
> behavior should stay. I also find the original choice to be quite
> sane regardless.
>
> David J.
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com