Home > mailing lists

Re: Granting control of SUSET gucs to non-superusers - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Granting control of SUSET gucs to non-superusers
Date	May 13, 2021 22:18:32
Msg-id	2c65ab8db3aa3bfc8d6ef919175475be4c3bd6aa.camel@vmware.com Whole thread Raw
In response to	Re: Granting control of SUSET gucs to non-superusers (Mark Dilger <mark.dilger@enterprisedb.com>)
Responses	Re: Granting control of SUSET gucs to non-superusers Re: Granting control of SUSET gucs to non-superusers
List	pgsql-hackers

Tree view

On Thu, 2021-05-13 at 11:42 -0700, Mark Dilger wrote:
> The distinction that Theme+Security would make is that capabilities
> can be categorized by the area of the system:
>   -- planner
>   -- replication
>   -- logging
>   ...
> but also by the security implications of what is being done:
>   -- host
>   -- schema
>   -- network
Since the "security" buckets are being used for both proposals -- how
you would deal with overlap between them? When a GUC gives you enough
host access to bleed into the schema and network domains, does it get
all three attributes assigned to it, and thus require membership in all
three roles?

(Thanks, by the way, for this thread -- I think a "capability system"
for superuser access is a great idea.)

--Jacob

pgsql-hackers by date:

From: Bruce Momjian
Date: 13 May 2021, 22:13:23
Subject: Re: compute_query_id and pg_stat_statements

From: Stephen Frost
Date: 13 May 2021, 22:27:15
Subject: Re: Granting control of SUSET gucs to non-superusers

Re: Granting control of SUSET gucs to non-superusers - Mailing list pgsql-hackers

Previous

Next