Re: Additional role attributes && superuser review - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Additional role attributes && superuser review
Date
Msg-id 20160117192242.GF16401@momjian.us
Whole thread Raw
In response to Re: Additional role attributes && superuser review  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Additional role attributes && superuser review
List pgsql-hackers
On Wed, Jan  6, 2016 at 12:29:14PM -0500, Robert Haas wrote:
> The point is that with the GRANT EXECUTE ON FUNCTION proposal, authors
> of monitoring tools enjoy various really noteworthy advantages.  They
> can have monitoring roles which have *exactly* the privileges that
> their tool needs, not whatever set of permissions (larger or smaller)
> the core project has decide the pg_monitor role should have.  They can
> have optional features requiring extra permissions and those extra
> permissions can be granted in precisely those shops where those extra
> features are in use.  They can deploy a new versions of their
> monitoring tool that requires an extra privilege on an existing
> PostgreSQL release without requiring any core modifications, which
> shaves years of time off the deployment schedule and avoids
> contentious arguments with the lovable folks who populate this mailing
> list.  That sounds *terrific* to me compared to the alternative you
> are proposing.

I assume backup tools would either document the functions they want
access to via SQL commands, or supply a script.  I assume they would
create a non-login role (group) with the desired permissions, and then
have users inherit from that.  They would also need to be able to allow
upgrades where they would (conditionally?) add the role and then
add/revoke permissions as needed, e.g. they might not need all
permissions they needed in a previous release, or they might need new
ones.

That all seems very straight-forward to me.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Roman grave inscription                             +



pgsql-hackers by date:

Previous
From: "Constantin S. Pan"
Date:
Subject: Re: Proposal: speeding up GIN build with parallel workers
Next
From: Bruce Momjian
Date:
Subject: Re: ToDo list update for BRIN indexes