Thread: Blocking the use of TRIGGER privilege

Blocking the use of TRIGGER privilege

From
Simon Riggs
Date:
The separate TRIGGER privilege is considered obsolescent. It is not
heavily used and exists mainly to facilitate trigger-based replication
in a multi-user system.
i.e.
GRANT TRIGGER ON foo TO bob;

Since logical replication recommends "Limit ownership and TRIGGER
privilege on such tables to trusted roles.", then it would be useful
to have a way to put in a restriction on that for the trigger
privilege.

We might suggest removing it completely, but it does appear to be a
part of the SQL Standard, T211-07, so that is not an option. In any
case, such a move would need us to do a lengthy deprecation dance
across multiple releases.

But we can just have an option to prevent the TRIGGER privilege being granted.

allow_trigger_privilege = off (new default in PG16) | on
shown in postgresql.conf, only settable at server start so that it
even blocks superusers and special roles.

Existing usage of the trigger privilege would not be touched, only new usage.

(No, this does not mean I want to ban triggers, only the trigger privilege).

Thoughts?

-- 
Simon Riggs                http://www.EnterpriseDB.com/