| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg_dump roles support |
| Date: | 2007-12-10 16:22:33 |
| Message-ID: | 20071210162233.GQ5031@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > create role admin with noinherit;
> > grant postgres to admin;
> > grant admin to joesysadmin;
>
> > pg_dump -U joesysadmin mydb;
>
> > Fails because joesysadmin hasn't got rights to everything directly.
>
> Seems like the correct answer to that is "use a saner role
> configuration".
Funny, it's exactly the type of setup described here:
http://www.postgresql.org/docs/8.2/interactive/role-membership.html
Far as I can tell anyway. What would you suggest? The point here is
that joesysadmin shouldn't get full postgres privs on login since most
of the time he won't need them. When he does need them, he can do a
'set role postgres', do what he needs to do and then 'reset role' when
he's done. Minimizing the amount of time with superuser privs is a good
thing in general, I would think.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hiroshi Saito | 2007-12-10 16:23:22 | Re: Problem of a server gettext message. |
| Previous Message | Tom Lane | 2007-12-10 16:19:55 | Re: pg_dump roles support |