| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Noah Misch <noah(at)leadboat(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2016-01-18 18:04:24 |
| Message-ID: | CA+TgmoZqSMBec4igoan2pwCgcJbNzGwihxgWiJ2r76zx1ABtxA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jan 17, 2016 at 6:58 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> I'm not against that idea, though I continue to feel that there are
> common sets of privileges which backup tools could leverage.
>
> The other issue that I'm running into, again, while considering how to
> move back to ACL-based permissions for these objects is that we can't
> grant out the actual permissions which currently exist. That means we
> either need to break backwards compatibility, which would be pretty
> ugly, in my view, or come up with new functions and then users will have
> to know which functions to use when.
>
> As I don't think we really want to break backwards compatibility or
> remove existing functionality, the only approach which is going to make
> sense is to add additional functions in some cases. In particular, we
> will need alternate versions of pg_terminate_backend and
> pg_cancel_backend. One thought I had was to make that
> 'pg_signal_backend', but that sounds like we'd allow any signal sent by
> a user with that right, which seems a bit much to me...
So, this seems like a case where a built-in role would be
well-justified. I don't really believe in built-in roles as a way of
bundling related permissions; I know you do, but I don't. I'd rather
see the individual function permissions granted individually. But
here you are talking about a variable level of access to the same
function, depending on role. And for that it seems to me that a
built-in role has a lot more to recommend it in that case than it does
in the other. If you have been granted pg_whack, you can signal any
process on the system; otherwise just your own. Those checks are
internal to pg_terminate_backend/pg_cancel_backend so GRANT is not a
substitute.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2016-01-18 18:10:05 | Re: Making plpython 2 and 3 coexist a bit better |
| Previous Message | Robert Haas | 2016-01-18 17:55:56 | Re: [Proposal] Table partition + join pushdown |