I agree, However we are planning, users not to have any direct privileges on database objects or default roles(like SUPERUSER,CREATEDB,REPLICATION..etc) in postgres.
looking to create users(LOGIN) only and Grant all the privileges through roles like below.
Steps:
Create User
Create role
GRANT required privileges/default attributes(SUPERUSER,REPLICATION etc) to Role
GRANT role to Users.
So,If I follow above process I am not able to do pg_basebackup.
Now I have only options left either I have to use postgres user or create a user directly with replication role(Which we are not interested in).
In future is there possibility to allow a user(using above steps) to do pg_basebackup?.
Use case: Want to control database privileges/default roles by creating roles instead of granting directly to users. So that we can manage database access control easily.
Which you can do. However, pg_basebackup is a cluster wide command not tied a particular database, so database privileges do not apply. You can still manage it by restricting the roles able to connect to 'replication' in pg_hba.conf and creating roles that match that have only the replication attribute. It is why the replication attribute was added to role creation.
It seems the code is allowing only who has Superuser/Replication role directly.
Is there any possibility in future releases they allow both case A & B Users able to use pg_basebackup.
It does not seem wise to introduce inheritance of such powerful capabilities when for many years now we have not done so. It seems like reality could be better documented but the present behavior should stay. I also find the original choice to be quite sane regardless.
