From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> |
Subject: | Re: public schema default ACL |
Date: | 2020-11-13 02:36:39 |
Message-ID: | 20201113023639.GA1113212@rfd.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Nov 09, 2020 at 02:56:53PM -0500, Bruce Momjian wrote:
> On Mon, Nov 2, 2020 at 11:05:15PM -0800, Noah Misch wrote:
> > My plan is for the default to become:
> >
> > GRANT USAGE ON SCHEMA public TO PUBLIC;
> > ALTER SCHEMA public OWNER TO DATABASE_OWNER; -- new syntax
>
> Seems it would be better to create a predefined role that owns the
> public schema, or at least has create permission for the public schema
> --- that way, when you are creating a role, you can decide if the role
> should have creation permissions in the public schema, rather than
> having people always using the database owner for this purpose.
Defaulting to a specific predefined role empowers the role's members in all
databases simultaneously. Folks who want it like that can create a role and
issue "ALTER SCHEMA public OWNER TO that_role" in template1. What's the
better default? I think that depends on whether you regard this schema as a
per-database phenomenon or a per-cluster phenomenon.
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2020-11-13 03:14:29 | Re: scram-sha-256 broken with FIPS and OpenSSL 1.0.2 |
Previous Message | Thomas Munro | 2020-11-13 02:20:26 | Re: WIP: WAL prefetch (another approach) |