| From: | Christoph Moench-Tegeder <cmt(at)burggraben(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
| Subject: | Re: Recognizing superuser in pg_hba.conf |
| Date: | 2020-01-02 20:19:32 |
| Message-ID: | 20200102201932.GA2506@elch.exwg.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
## Stephen Frost (sfrost(at)snowman(dot)net):
> We already have a reserved namespace when it comes to roles,
> specifically "pg_".. why invent something new like this '&' prefix when
> we could just declare that 'pg_superusers' is a role to which all
> superusers are members? Or something along those lines?
Taking this idea one step further (back?): with any non-trivial
number of (user-)roles in the database, DBAs would be well advised
to use group(-role)s for privilege management anyways. It's not
to unreasonable to grant SUPERUSER through a group, too. Although
I'm not sure we'd need a new pg_superuser role here, we're not
inventing a new set of object privileges as in e.g. pg_monitor;
the DBA can just create their own superuser group.
Is there really a need to add more features, or would it be sufficient
to make the applications of group roles more prominent in the docs?
(I've seen way too many cases in which people where granting privileges
to individual users when they should have used groups, so I might
be biased).
Regards,
Christoph
--
Spare Space
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2020-01-02 20:27:20 | Re: [PATCH] Increase the maximum value track_activity_query_size |
| Previous Message | Stephen Frost | 2020-01-02 20:17:26 | Re: Recognizing superuser in pg_hba.conf |