At Tue, 9 Jun 2020 16:35:55 +0900, Michael Paquier <michael@paquier.xyz> wrote in
> On Tue, Jun 09, 2020 at 03:32:24PM +0900, Masahiko Sawada wrote:
> > One thing I'm concerned with this change is that we will end up
> > needing to grant both execute on pg_show_replication_origin_status()
> > and select on pg_replication_origin_status view when we want a
> > non-super user to access pg_replication_origin_status. It’s unlikely
> > that the user can grant both privileges at once as
> > pg_show_replication_origin_status() is not documented.
I also concerned that, but normally all that we should do to that is
GRANTing pg_read_all_stats to the role. I don't think there is a case
where someone wants to allow the view to a user, who should not be
allowed to see other stats views.
> Not sure if that's worth worrying. We have similar cases like that,
> take for example pg_file_settings with pg_show_all_file_settings()
> which requires both a SELECT ACL on pg_file_settings and an EXECUTE
> ACL on pg_show_all_file_settings(). My point is that if you issue a
> GRANT SELECT on the catalog view, the user can immediately see when
> trying to query it that an extra execution is needed.
I agree to that as far as that is not the typical use case, and I
don't think that that's the typical use case.
> > A user having a replication privilege already is able to execute these
> > functions. Do you mean to ease it so that a user also executes them
> > without replication privilege?
>
> Arf. Please forget what I wrote here, the hardcoded check for
> replication rights would be a problem.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
