| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2015-11-30 18:32:52 |
| Message-ID: | 20151130183252.GH3685@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Fri, Nov 20, 2015 at 12:29 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Michael Paquier (michael(dot)paquier(at)gmail(dot)com) wrote:
> >> On Thu, Nov 19, 2015 at 7:10 AM, Stephen Frost wrote:
> >> > * Michael Paquier (michael(dot)paquier(at)gmail(dot)com) wrote:
> >> >> It seems weird to not have a dedicated role for pg_switch_xlog.
> >> >
> >> > I didn't add a pg_switch_xlog default role in this patch series, but
> >> > would be happy to do so if that's the consensus. It's quite easy to do.
> >>
> >> Agreed. I am not actually getting why that's part of the backup
> >> actually. That would be more related to archiving, both being
> >> unrelated concepts. But at this point I guess that's mainly a
> >> philosophical split.
> >
> > As David notes, they're actually quite related. Note that in our
> > documentation pg_switch_xlog() is listed in the "Backup Control
> > Functions" table.
> >
> > I can think of a use-case for a user who can call pg_switch_xlog, but
> > not pg_start_backup()/pg_stop_backup(), but I have to admit that it
> > seems rather limited and I'm on the fence about it being a worthwhile
> > distinction.
>
> Sounds too narrow to me. Are we going to have a separate predefined
> role for every security-restricted function to which someone might
> want to grant access? That seems over the top to me.
I certainly don't want to go down to that level and was, as seen above,
unsure about having pg_switch_xlog() as a differentiated privilege.
Michael, do you still see that as a useful independent capability?
> I don't think we should make it our goal to completely eliminate the
> use of SECURITY DEFINER functions for privilege delegation. Of
> course, being able to grant privileges directly is nicer, because then
> the client code doesn't have to know about it. But I think it's OK,
> even good, if the predefined roles cater to the common cases, and the
> less common cases aren't handled quite as elegantly.
Agreed.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-11-30 19:43:59 | Remaining 9.5 open items |
| Previous Message | Jeff Janes | 2015-11-30 18:25:18 | Re: Using quicksort for every external sort run |