| From: | chiru r <chirupg(at)gmail(dot)com> |
|---|---|
| To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
| Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, John R Pierce <pierce(at)hogranch(dot)com>, Forums postgresql <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: pg_basebackup issue |
| Date: | 2017-04-23 11:52:58 |
| Message-ID: | CA+RSxMhHxK1oiiwJOwUuEcGJBpq1CzHVR7nQu=+3nM=uoH_cwQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Thank you for your reply.
I agree, However we are planning, users not to have any direct privileges
on database objects or default roles(like
SUPERUSER,CREATEDB,REPLICATION..etc) in postgres.
looking to create users(LOGIN) only and Grant all the privileges through
roles like below.
*Steps: *
Create User
Create role
GRANT required privileges/default attributes(SUPERUSER,REPLICATION etc) to
Role
GRANT role to Users.
So,If I follow above process I am not able to do pg_basebackup.
Now I have only options left either I have to use postgres user or create a
user directly with replication role(Which we are not interested in).
In future is there possibility to allow a user(using above steps) to do
pg_basebackup?.
Thanks,
Chiru
On Sun, Apr 23, 2017 at 12:10 AM, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
wrote:
> On 04/22/2017 08:04 PM, chiru r wrote:
>
>> Use case: Want to control database privileges/default roles by creating
>> roles instead of granting directly to users.
>> So that we can manage database access control easily.
>>
>
> Which you can do. However, pg_basebackup is a cluster wide command not
> tied a particular database, so database privileges do not apply. You can
> still manage it by restricting the roles able to connect to 'replication'
> in pg_hba.conf and creating roles that match that have only the replication
> attribute. It is why the replication attribute was added to role creation.
>
>
>> Thanks,
>> Chiru
>>
>> On Sat, Apr 22, 2017 at 10:03 PM, David G. Johnston
>> <david(dot)g(dot)johnston(at)gmail(dot)com <mailto:david(dot)g(dot)johnston(at)gmail(dot)com>> wrote:
>>
>> On Saturday, April 22, 2017, chiru r <chirupg(at)gmail(dot)com
>> <mailto:chirupg(at)gmail(dot)com>> wrote:
>>
>> Thank you Adrian.
>>
>> It seems the code is allowing only who has Superuser/Replication
>> role directly.
>>
>> Is there any possibility in future releases they allow both case
>> A & B Users able to use pg_basebackup.
>>
>>
>> It does not seem wise to introduce inheritance of such
>> powerful capabilities when for many years now we have not done so.
>> It seems like reality could be better documented but the present
>> behavior should stay. I also find the original choice to be quite
>> sane regardless.
>>
>> David J.
>>
>>
>>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2017-04-23 14:54:11 | Re: Not sure this should be asked here but... |
| Previous Message | Nicolas Paris | 2017-04-23 11:04:50 | Re: Database structure advise |