Re: Proposal: Change of pg_trigger.tg_enabled and adding - Mailing list pgsql-hackers

From Jim Nasby
Subject Re: Proposal: Change of pg_trigger.tg_enabled and adding
Date
Msg-id E53A5069-3DEF-44A3-AC88-B672A5D7B9CE@decibel.org
Whole thread Raw
In response to Re: Proposal: Change of pg_trigger.tg_enabled and adding  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Jan 26, 2007, at 5:09 PM, Tom Lane wrote:
> Jan Wieck <JanWieck@Yahoo.com> writes:
>> On 1/26/2007 4:40 PM, Jim Nasby wrote:
>>> It would be nice if we had a separate role for replication services
>>> so that we weren't exposing superuser so much.
>
>> So you think about another flag in pg_shadow? Would work for me.

Not really sure if that's necessary or not... there might be better  
ways to do it.

> How exactly would such a role differ from a "regular" superuser?  It
> would still need an awful lot of privilege bypassing ability.  I'm
> pretty dubious that you could lock it down enough to make it worth the
> trouble of supporting an additional concept.

There's two cases...

First is the role that actually sets up replication. It's going to  
need a decent amount of privileges... on the origin, it will need to  
add triggers to tables. Possibly create a schema as well (though, I'd  
argue that that should happen when you install replication, which is  
different than just adding a new table to a replication set, or  
adding a new node).

On the replica, it's going to need to be able to alter tables to  
disable triggers. If we want to be fancy and replicate DDL, it'd need  
to be able to do that as well.

But it's important to note that we could require the user to grant  
those abilities specifically to the replication admin role. Maybe not  
what we actually want, but it's something to consider.

The second case is the role that's actually replicating data. It will  
need to INSERT/UPDATE/DELETE on replica tables. Presumably it will  
need some rights on objects that actually implement the replication  
(think objects in the _cluster_name schema in slony), but when the  
node is added the replication admin role should be able to handle that.

Both of those are much more limited than a superuser is... they can't  
create databases, they can't run admin functions such as  
pg_cancel_backend, etc, etc.
--
Jim Nasby                                            jim@nasby.net
EnterpriseDB      http://enterprisedb.com      512.569.9461 (cell)




pgsql-hackers by date:

Previous
From: Jim Nasby
Date:
Subject: Re: BUG #2917: spi_prepare doesn't accept typename aliases
Next
From: Tom Lane
Date:
Subject: Re: Proposal: Snapshot cloning