Quick Links

Re: Additional role attributes && superuser review

From:	Stephen Frost <sfrost(at)snowman(dot)net>
To:	Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc:	Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Additional role attributes && superuser review
Date:	2015-11-24 20:56:55
Message-ID:	CAOuzzgqjw186Nj2DFKeOj1HABaXwtsWXOpe-GB1s5fexVCoo3Q@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Tuesday, November 24, 2015, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
wrote:

> Stephen Frost wrote:
>
> > Even so, in the interest of having more fine-grained permission
> > controls, I've gone ahead and added a pg_switch_xlog default role.
> > Note that this means that pg_switch_xlog() can be called by both
> > pg_switch_xlog roles and pg_backup roles. I'd be very much against
> > removing the ability to call pg_switch_xlog from the pg_backup role as
> > that really is a capability which is needed by users running backups and
> > it'd just add unnecessary complexity to require users setting up backup
> > tools to grant two different roles to get the backup to work.
>
> Isn't it simpler to grant pg_switch_xlog to pg_backup in the default
> config?
>

I'm not against it, but it would imply a set of data lines for
pg_auth_members, which we don't have today. We can't easily directly GRANT
the role due to the restrictions put in place to prevent regular users from
changing the system roles. On the other hand, we could change the check to
only apply when we aren't in bootstrap mode.

Thanks!

Stephen

In response to

Re: Additional role attributes && superuser review at 2015-11-24 20:53:19 from Alvaro Herrera

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Alvaro Herrera	2015-11-24 21:22:45	Re: Re: In-core regression tests for replication, cascading, archiving, PITR, etc.
Previous Message	Alvaro Herrera	2015-11-24 20:53:19	Re: Additional role attributes && superuser review