| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Noah Misch <noah(at)leadboat(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2016-01-29 14:41:20 |
| Message-ID: | 20160129144120.GA3331@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Michael,
* Michael Paquier (michael(dot)paquier(at)gmail(dot)com) wrote:
> On Fri, Jan 29, 2016 at 6:37 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> >> On Thu, Jan 28, 2016 at 11:04 AM, Stephen Frost <sfrost(at)snowman(dot)net>
> wrote:
> >> > Personally, I don't have any particular issue having both, but the
> >> > desire was stated that it would be better to have the regular
> >> > GRANT EXECUTE ON catalog_func() working before we consider having
> >> > default roles for same. That moves the goal posts awful far though, if
> >> > we're to stick with that and consider how we might extend the GRANT
> >> > system in the future.
> >>
> >> I don't think it moves the goal posts all that far. Convincing
> >> pg_dump to dump grants on system functions shouldn't be a crazy large
> >> patch.
> >
> > I wasn't clear as to what I was referring to here. I've already written
> > a patch to pg_dump to support grants on system objects and agree that
> > it's at least reasonable.
>
> Is it already posted somewhere? I don't recall seeing it. Robert and Noah
> have a point that this would be useful for users who would like to dump
> GRANT/REVOKE rights on system functions & all, using a new option in
> pg_dumpall, say --with-system-acl or --with-system-privileges.
Multiple versions were posted on this thread. I don't fault you for not
finding it, this thread is a bit long in the tooth. The one I'm
currently working from is:
http://www.postgresql.org/message-id/attachment/38049/catalog_function_acls_v4.patch
I'm going to split up the pg_dump changes and the backend changes, as
they can logically go in independently (though without both, we're not
moving the needle very far with regards to what administrators can do).
> If at least
> the three of you are agreeing here I think that we should try to move at
> least toward this goal first. That seems a largely doable goal for 9.6. For
> the set of default roles, there is clearly no clear consensus regarding
> what each role should do or not, and under which limitation it should
> operate.
I'm trying to work towards a consensus on the default roles, hence the
questions and discussion posed in the email you replied to.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2016-01-29 15:01:33 | Re: [PROPOSAL] VACUUM Progress Checker. |
| Previous Message | Fabien COELHO | 2016-01-29 14:28:37 | Re: pgbench stats per script & other stuff |