From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
Cc: | Georgios Kokolatos <gkokolatos(at)protonmail(dot)com>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: New default role- 'pg_read_all_data' |
Date: | 2020-08-28 12:54:11 |
Message-ID: | 20200828125411.GX29590@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Isaac Morland (isaac(dot)morland(at)gmail(dot)com) wrote:
> On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > This would simply REVOKE that role from the user. Privileges
> > independently GRANT'd directly to the user wouldn't be affected. Nor
> > would other role membership.
> >
> > > What privileges would the user be left with? Would it be possible to end
> > up in the same privilege only with a GRANT command?
>
> What about:
>
> REVOKE SELECT ON [table] FROM pg_read_all_data;
Wouldn't have any effect, and I think that's correct.
> I guess what I’m really asking is whether pg_read_all_data is automatically
> granted SELECT on all newly-created relations, or if the permission
> checking system always returns TRUE when asked if pg_read_all_data can
> select from a relation? I’m guessing it’s the latter so that it would be
> ineffective to revoke select privilege as I think this is more useful, but
> I’d like to be sure and the documentation should be explicit on this point.
Yes, it's the latter. I'm not really sure about the documentation
change you're contemplating- have a specific suggestion?
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | gkokolatos | 2020-08-28 13:06:17 | Re: New default role- 'pg_read_all_data' |
Previous Message | Magnus Hagander | 2020-08-28 12:53:15 | Re: New default role- 'pg_read_all_data' |