Re: Monitoring roles patch - Mailing list pgsql-hackers
From | Robert Haas |
---|---|
Subject | Re: Monitoring roles patch |
Date | |
Msg-id | CA+TgmoadTvGh9_O71iQ8vjEePhSwtPo148We15+k568hXHMEJw@mail.gmail.com Whole thread Raw |
In response to | [HACKERS] Monitoring roles patch (Dave Page <dpage@pgadmin.org>) |
Responses |
Re: Monitoring roles patch
|
List | pgsql-hackers |
On Fri, Mar 24, 2017 at 12:46 PM, Dave Page <dpage@pgadmin.org> wrote: > On Fri, Mar 24, 2017 at 4:24 PM, Robert Haas <robertmhaas@gmail.com> wrote: >>> If we make the users run all the statements individually then they'll >>> also have to get an updated script for the next version of PG too >>> because we will have added things that the tools will want access to. >> >> That's possible, but it really depends on the tool, not on core >> PostgreSQL. The tool should be the one providing the script, because >> the tool is what knows its own permissions requirements. Users who >> care about security won't want to grant every privilege given by a >> pg_monitor role to a tool that only needs a subset of those >> privileges. > > The upshot of this would be that every time there's a database server > upgrade that changes the permissions required somehow, the user has to > login to every server they have and run a script. It is no longer a > one-time thing, which makes it vastly more painful to deal with > upgrades. So, I might be all wet here, but I would have expected that changes on the TOOL side would be vastly more frequent. I mean, we do not change what a certain builtin permission does very often. If we add pg_read_all_settings, what is the likelihood that the remit of that role is ever going to change? I would judge that was is vastly more likely is that a new version of some tool would start needing that privilege (or some other) where it didn't before. If that happens, and the script is on the tool side, then you just add a new line to the script. If the script is built into initdb, then you've got to wait for the next major release before you can update the definition of pg_monitor - and maybe argue with other tool authors with different requirements. >>> With the approach that Dave and I are advocating, we can avoid all of >>> that. Contrib modules can bake-in GRANTs to the appropriate roles, >>> upgrades can be handled smoothly even when we add new capabilities which >>> are appropriate, users have a simple and straight-forward way to set up >>> good monitoring, and tool authors will know what permissions are >>> available and can finally have a better answer than "well, just make the >>> monior user superuser if you want to avoid all these complexities." >> >> They can have that anyway. They just have to run a script provided by >> the tool rather than one provided by the core project as a >> one-size-fits-all solution for every tool. > > Do you object to having individual default roles specifically for > cases where there are superuser-only checks at the moment that prevent > GRANT? e.g. pg_show_all_settings for SHOW, pg_show_all_stats for > pg_tablespace_size and friends, pg_stat_statements for, well, > pg_stat_statements and so on? It would be an inferior solution in my > opinion, given that it would demonstrably cause users more work, but > at least we could do something. I think pg_show_all_settings is brilliant. It's narrowly targeted and in no way redundant with what can anyway be done with GRANT otherwise. As far as the others, I think that we should just let people GRANT privileges one by one whenever that's possible, and use built-in roles where it isn't. So I'm fine with this: - if (tblspcOid != MyDatabaseTableSpace) + if (tblspcOid != MyDatabaseTableSpace && + !is_member_of_role(GetUserId(), DEFAULT_ROLE_READ_ALL_STATS)) But I don't like this: +GRANT EXECUTE ON FUNCTION pgstattuple(text) TO pg_read_all_stats; My position is that execute permission on a function is already grantable, so granting it by default to a built-in role is just removing flexibility which would otherwise be available to the user. I do understand that in some cases that may result in a long list of GRANT commands to make a particular monitoring tool work, but I think the right solution is to package those commands in an extension or script distributed with that tool. When there's a permission that is reasonably necessary for monitoring tools (or some other reasonable purpose) and we can't arrange for that permission to be given via a GRANT EXECUTE ON FUNCTION, then I support adding built-in roles for those things. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
pgsql-hackers by date: