Hi All,
This is a "proof-of-concept" patch for a new model around role attributes and fine grained permissions meant to alleviate the current over dependence on superuser.
This is not yet complete and only serves as a proof-of-concept at this point, but I wanted to share it in the hopes of receiving comments, suggestions and general feedback.
The general gist of this patch is as follows:
* New system catalog "pg_permission" that relates role id's to permissions.
* New syntax.
- GRANT <permission> TO <role>
- REVOKE <permission> FROM <role>
where, <permission> is one of an enumerated value, such as "CREATE ROLE" or "CREATE DATABASE".
* Refactor CREATEDB and NOCREATEDB role attribute to "CREATE DATABASE" permission set by GRANT or REVOKE.
* Refactor CREATEROLE and NOCREATEROLE role attribute to "CREATE ROLE" permission set by GRANT or REVOKE.
Again, this is meant to serve as a proof-of-concept. It is not comprehensive and only demonstrates how this might work with a few already defined permissions.
I have attached the current patch based on master.
Any comments or feedback would be greatly appreciated.
Thanks,
Adam
--