Skip site navigation (1) Skip section navigation (2)

Re: Re: BUG #6264: Superuser does not have inherent Replication permission

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Noah Misch <noah(at)leadboat(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Keith Fiske <keith(at)omniti(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: Re: BUG #6264: Superuser does not have inherent Replication permission
Date: 2011-10-27 22:15:21
Message-ID: 7162.1319753721@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Noah Misch <noah(at)leadboat(dot)com> writes:
> Let's look at the behavior of DDL-exposed access constraints for precedent.  We
> currently have three paradigms for applying access control to superusers:

> 1. Settings that affect superusers and regular users identically.  These include
> ALTER ROLE ... LOGIN | VALID UNTIL.

> 2. Rights that superusers possess implicitly and irrevocably; the actual setting
> recorded in pg_authid or elsewhere has no effect.  These include GRANT ... ON
> TABLE and ALTER ROLE ... CREATEDB | CREATEROLE.

> 3. ALTER ROLE ... REPLICATION is very similar to #1, except that CREATE ROLE
> ... SUPERUSER implies CREATE ROLE ... SUPERUSER REPLICATION.

> I think we should merge #3 into #2; nothing about the REPLICATION setting
> justifies a distinct paradigm.

Yeah, there's much to be said for that.  I thought the notion of a
privilege that superusers might not have was pretty bogus to start with.

rolcatupdate isn't a very good precedent to rely on because it's never
been documented or used to any noticeable extent, so there's no reason
to think that it provides a tested-and-accepted behavior.

			regards, tom lane

In response to

Responses

pgsql-bugs by date

Next:From: goudvisDate: 2011-10-27 23:02:47
Subject: Re: BUG #6269: Anomaly detection
Previous:From: Noah MischDate: 2011-10-27 21:01:32
Subject: Re: BUG #6264: Superuser does not have inherent Replicationpermission

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group