On Fri, Jan 29, 2016 at 6:37 AM, Stephen Frost <
sfrost@snowman.net> wrote:
> * Robert Haas (
robertmhaas@gmail.com) wrote:
>> On Thu, Jan 28, 2016 at 11:04 AM, Stephen Frost <
sfrost@snowman.net> wrote:
>> > Personally, I don't have any particular issue having both, but the
>> > desire was stated that it would be better to have the regular
>> > GRANT EXECUTE ON catalog_func() working before we consider having
>> > default roles for same. That moves the goal posts awful far though, if
>> > we're to stick with that and consider how we might extend the GRANT
>> > system in the future.
>>
>> I don't think it moves the goal posts all that far. Convincing
>> pg_dump to dump grants on system functions shouldn't be a crazy large
>> patch.
>
> I wasn't clear as to what I was referring to here. I've already written
> a patch to pg_dump to support grants on system objects and agree that
> it's at least reasonable.
Is it already posted somewhere? I don't recall seeing it. Robert and Noah have a point that this would be useful for users who would like to dump GRANT/REVOKE rights on system functions & all, using a new option in pg_dumpall, say --with-system-acl or --with-system-privileges. If at least the three of you are agreeing here I think that we should try to move at least toward this goal first. That seems a largely doable goal for 9.6. For the set of default roles, there is clearly no clear consensus regarding what each role should do or not, and under which limitation it should operate.
