| From: | Denish Patel <denish(at)omniti(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | jesse(dot)waters(at)gmail(dot)com, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Permission select pg_stat_replication |
| Date: | 2015-04-01 16:53:39 |
| Message-ID: | CAFddxvPo8EkRhRAhjDyFNmyaPqRPstC=GLu_Kq5=dPAc1T=QFg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-hackers |
Fair enough but they should be able to achieve their goal to avoid granting
SUPER to monitoring user. They have to tweak the grant/revoke as desired.
On Wed, Apr 1, 2015 at 11:53 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Denish Patel (denish(at)omniti(dot)com) wrote:
> > you should be able to use secure_check_postgres method to avoid granting
> > SUPER permission on monitoring user.
> [...]
>
> Denish,
>
> Please see my reply to Payal. This doesn't work. At the very least,
> the permissions on the pg_stat_repl() function need to be adjusted to be
> only GRANT'd to the monitoring user, otherwise the information is
> available to everyone. If that's the intent, then the view might as
> well be granted to PUBLIC.
>
> Recall that, by defualt, EXECUTE on a function is granted to PUBLIC.
>
> Thanks,
>
> Stephen
>
--
Denish Patel,
OmniTI Computer Consulting Inc.
Database Architect,
http://omniti.com/does/data-management
http://www.pateldenish.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-04-01 17:05:27 | Re: [ADMIN] Permission select pg_stat_replication |
| Previous Message | Stephen Frost | 2015-04-01 15:53:02 | Re: Permission select pg_stat_replication |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-04-01 17:05:27 | Re: [ADMIN] Permission select pg_stat_replication |
| Previous Message | Tom Lane | 2015-04-01 16:53:12 | Re: How about to have relnamespace and relrole? |