Re: Additional role attributes && superuser review - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Additional role attributes && superuser review
Date
Msg-id 20150126190503.GW3854@tamriel.snowman.net
Whole thread Raw
In response to Re: Additional role attributes && superuser review  (Andres Freund <andres@2ndquadrant.com>)
Responses Re: Additional role attributes && superuser review
List pgsql-hackers
* Andres Freund (andres@2ndquadrant.com) wrote:
> On 2015-01-26 13:47:02 -0500, Stephen Frost wrote:
> > Right.  We already have a role attribute which allows pg_basebackup
> > (replication).  Also, with pg_basebackup / rolreplication, your role
> > is able to read the entire data directory from the server, that's not
> > the case with only rights to run pg_start/stop_backup.
> >
> > In conjunction with enterprise backup solutions and SANs, which offer
> > similar controls where a generally unprivileged user can have a snapshot
> > of the system taken through the SAN interface, you can give users the
> > ability to run ad-hoc backups of the cluster without giving them
> > superuser-level access or replication-level access.
>
> I'm sorry if this has already been discussed, but the thread is awfully
> long already. But what's actually the point of having a separate
> EXCLUSIVEBACKUP permission? Using it still requires full file system
> access to the data directory, so the additional permissions granted by
> replication aren't really relevant.

I agree that it's a pretty long thread for what amount to a few
relatively straight-forward role attributes (at least, in my view).

> I don't think the comparison with the SAN snapshot functionality is apt:
> The SAN solution itself will still run with full data access. Just
> pressing the button for the snapshot requires less. You're comparing
> that button to pg_start/stop_backup() - but that doesn't make sense,
> because it's only useful if somebody actually takes the backup during
> that time.

I'm not following your logic here..  You're right- just pressing the
button to take a snapshot can be granted out to a lower-level user using
the SAN solution.  That snapshot's useless unless the user can first run
pg_start_backup though (and subsequently run pg_stop_backup afterwards).
Clearly, XLOG archiving has to be set up already, but that would be set
up when the system is initially brought online.

This capability would be used in conjunction with the SAN snapshot
capability, it's not intended to be a comparison to what SANs offer.
Thanks!
    Stephen

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Additional role attributes && superuser review
Next
From: Robert Haas
Date:
Subject: Re: Windows buildfarm animals are still not happy with abbreviated keys patch