allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX - Mailing list pgsql-hackers

From Nathan Bossart
Subject allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX
Date
Msg-id 20221208183707.GA55474@nathanxps13
Whole thread Raw
Responses Re: allow granting CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX
List pgsql-hackers
Hi hackers,

This is meant as a continuation of the work to make VACUUM and ANALYZE
grantable privileges [0].  As noted there, the primary motivation for this
is to continue chipping away at things that require special privileges or
even superuser.  I've attached two patches.  0001 makes it possible to
grant CLUSTER, REFRESH MATERIALIZED VIEW, and REINDEX.  0002 adds
predefined roles that allow performing these commands on all relations.
After applying these patches, there are 13 privilege bits remaining for
future use.

There is an ongoing discussion in another thread [1] about how these
privileges should be divvied up.  Should each command get it's own
privilege bit (as I've done in the attached patches), or should the
privileges be grouped in some fashion (e.g., adding a MAINTAIN bit that
governs all of them, splitting out exclusive-lock operations from
non-exclusive-lock ones)?

Most of the changes in the attached patches are rather mechanical, and like
VACUUM/ANALYZE, there is room for future enhancement, such as granting the
privileges on databases/schemas instead of just tables.

[0] https://postgr.es/m/20220722203735.GB3996698%40nathanxps13
[1] https://postgr.es/m/20221206193606.GB3078082%40nathanxps13

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

Attachment

pgsql-hackers by date:

Previous
From: Nathan Bossart
Date:
Subject: Re: fix and document CLUSTER privileges
Next
From: Nathan Bossart
Date:
Subject: Re: add \dpS to psql