Re: Read access for pg_monitor to pg_replication_origin_status view

At Mon, 8 Jun 2020 16:21:45 +0900, Masahiko Sawada <masahiko(dot)sawada(at)2ndquadrant(dot)com> wrote in
> I've looked at these patches and have one question:
>
> REVOKE ALL ON pg_replication_origin_status FROM public;
>
> +GRANT SELECT ON pg_replication_origin_status TO pg_read_all_stats;
>
> +REVOKE EXECUTE ON FUNCTION pg_show_replication_origin_status() FROM public;
> +
> +GRANT EXECUTE ON FUNCTION pg_show_replication_origin_status() TO
> pg_read_all_stats;
>
> I thought that this patch has pg_replication_origin_status view behave
> like other pg_stat_* views in terms of privileges but it's slightly
> different. For instance, since we grant all privileges on
> pg_stat_replication to public by default, the only user who either is
> a member of pg_read_all_stats or is superuser can see all values but
> other users not having such privileges also can access that view and
> see the part of statistics. On the other hand, with this patch, we
> allow only user who either is a member of pg_read_all_stats or is
> superuser to access pg_replication_origin_status view. Other users
> cannot even access to that view. Is there any reason why we grant
> select privilege to only pg_read_all_stats? I wonder if we can have
> pg_replication_origin_status accessible by public and filter some
> column data in pg_show_replication_origin_status() that we don't want
> to show to users who neither a member of pg_read_all_stats nor
> superuser.

Yeah, I agree to this (and wrote something like that before).

On the other hand Martín seems to just want to allow other users to
see it while preserving the current behavior. I also understand that
thought.

> There is a typo in 0001 patch:
>
> +--
> +-- Permision to execute Replication Origin functions should be
> revoked from public
> +--
>
> s/Permision/Permission/

Mmm. Right.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center