On Wed, Jul 10, 2024 at 05:13:58PM +0900, Fujii Masao wrote:
> However, unlike the database owner, pg_maintain by definition should
> have *all* the rights needed for maintenance tasks, including MAINTAIN
> rights on tables and USAGE rights on schemas? ISTM that both
> pg_read_all_data and pg_write_all_data roles are defined similarly,
> with USAGE rights on all schemas. So, granting USAGE rights to
> pg_maintain, but not the database owner, doesn't seem so odd to me.
It doesn't seem so odd to me, either. But there are other things that
could prevent a role with privileges of pg_maintain from being able to
VACUUM a table. For example, the role might not have LOGIN, or it might
not have CONNECT on the database. I think the argument for giving
pg_maintain roles implicit USAGE on all schemas for only maintenance
commands is that we already do that in some cases (e.g., a database-wide
VACUUM).
> I'd like hear more opinions about this.
+1
--
nathan
