Re: postgres database user account - Mailing list pgsql-admin

From Tom Lane
Subject Re: postgres database user account
Date
Msg-id 16820.1277930292@sss.pgh.pa.us
Whole thread Raw
In response to Re: postgres database user account  ("Maria L. Wilson" <Maria.L.Wilson-1@nasa.gov>)
List pgsql-admin
"Maria L. Wilson" <Maria.L.Wilson-1@nasa.gov> writes:
> that sounds similar to what we are trying to accomplish.  Looks like
> what we need to do is use the sudo at the OS level - and remove the
> postgres db user account altogether....  giving specific users the privs
> (or create roles) that accomplish what they need.

You can't remove the postgres DB account; it owns the core system
catalogs, functions, etc.  In any case, understand that any superuser
database account is as powerful as any other.  Giving DBAs superuser
accounts other than postgres is probably good just from an
administrative standpoint, but it won't reduce their capability to
screw things up.

If you're using a PG version recent enough to have a "createrole"
account attribute as distinct from "superuser", look into how much of
your admin work can be done with "createrole" accounts.  Those are
a lot weaker than full superuser, but still are enough for many ordinary
admin tasks (such as managing everyday-user accounts).

            regards, tom lane

pgsql-admin by date:

Previous
From: "Maria L. Wilson"
Date:
Subject: Re: postgres database user account
Next
From: Gilberto Castillo Martínez
Date:
Subject: Re: postgres database user account