Postgres Pro
Downloads
Home   >   mailing lists

Re: PG 14 release notes, first draft - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: PG 14 release notes, first draft
Date
Msg-id 20210523001658.GK8971@momjian.us
Whole thread Raw
In response to Re: PG 14 release notes, first draft  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
Tree view 
On Sat, May 22, 2021 at 07:29:45PM -0400, Stephen Frost wrote:
> Greetings,
> 
> * Bruce Momjian (bruce@momjian.us) wrote:
> > I have committed the first draft of the PG 14 release notes.  You can
> > see the most current  build of them here:
> > 
> >     https://momjian.us/pgsql_docs/release-14.html
> 
> It occurs to me that the wording around the new default roles could
> probably be better.  Specifically:
> 
> Add predefined roles pg_read_all_data and pg_write_all_data (Stephen Frost)
> 
> These non-login roles give read-only/write-only access to all objects.
> 
> Might be better as:
> 
> These non-login roles give read, or write, access to all tables, views,
> and sequences.
> 
> (These roles don't actually allow, for example, a function to be
> redefined, so saying 'all objects' isn't quite right either.)
> 
> While these roles could be used to create a 'read only' or 'write only'
> role, they, themselves, do not explicitly convey that on to a role
> because they don't do anything to prevent someone from GRANT'ing other
> rights to some role which has been GRANT'd these predefined roles.  I
> don't think anyone on this list thought differently from that, but the
> phrasing strikes me as potentially confusing.
> 
> Maybe another way would be:
> 
> These non-login roles give (only) read, or write, access to all tables,
> views, and sequences.
> 
> but I don't think saying 'only' there really adds anything and instead
> invites confusion.

OK, I went with this text:

    <listitem>
    <!--
    Author: Stephen Frost <sfrost@snowman.net>
    2021-04-05 [6c3ffd697] Add pg_read_all_data and pg_write_all_data roles
    -->
    
    <para>
    Add predefined roles <link
    linkend="predefined-roles"><structname>pg_read_all_data</structname></link>
    and <structname>pg_write_all_data</structname> (Stephen Frost)
    </para>
    
    <para>
    These non-login roles can be used to give read or write permission to
    all tables, views, and sequences.
    </para>
    </listitem>

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.

pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: PG 14 release notes, first draft
Next
From: Tom Lane
Date:
Subject: Re: Subscription tests fail under CLOBBER_CACHE_ALWAYS