| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Amit Kapila <amit(dot)kapila16(at)gmail(dot)com> |
| Cc: | Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2014-12-30 13:05:45 |
| Message-ID: | 20141230130545.GL3062@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Amit Kapila (amit(dot)kapila16(at)gmail(dot)com) wrote:
> On Tue, Dec 30, 2014 at 6:52 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > > >There is one issue that occurs to me, however. We're talking about
> > > >pg_dump, but what about pg_dumpall? In particular, I don't think the
> > > >DUMP privilege should provide access to pg_authid, as that would allow
> > > >the user to bypass the privilege system in some environments by using
> > > >the hash to log in as a superuser. Now, I don't encourage using
> > > >password based authentication, especially for superuser accounts, but
> > > >lots of people do. The idea with these privileges is to allow certain
> > > >operations to be performed by a non-superuser while preventing trivial
> > > >access to superuser. Perhaps it's pie-in-the-sky, but my hope is to
> > > >achieve that.
> > >
> > > Ugh, hadn't thought about that. :(
> >
> > I don't think it kills the whole idea, but we do need to work out how to
> > address it.
>
> One way to address this might be to allow this only for superusers,
Huh? The point here is to have a role account which isn't a superuser
who can perform these actions.
> another could be have a separate privilege (DBA) or a role which is
> not a superuser, however can be used to perform such tasks.
I'm pretty sure we've agreed that having a catch-all role attribute like
'DBA' is a bad idea because we'd likely be adding privileges to it later
which would expand the rights of users with that attribute, possibly
beyond what is intended.
> > I don't really like 'xlog' as a permission. BINARY BACKUP is
> > interesting but if we're going to go multi-word, I would think we would
> > do PITR BACKUP or something FILESYSTEM BACKUP or similar. I'm not
> > really a big fan of the two-word options though.
>
> How about PHYSICAL BACKUP (for basebackup) and LOGICAL BACKUP
> for pg_dump?
Again, this makes it look like the read-all right would be specific to
users executing pg_dump, which is incorrect and misleading. "PHYSICAL"
might also imply the ability to do pg_basebackup.
> This is normally the terminology I have seen people using for these
> backup's.
I do like the idea of trying to find a correlation in the documentation
for these rights, though I'm not sure we'll be able to.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2014-12-30 14:05:50 | Re: What exactly is our CRC algorithm? |
| Previous Message | Michael Paquier | 2014-12-30 12:39:33 | Re: Patch: add recovery_timeout option to control timeout of restore_command nonzero status code |