| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PG 14 release notes, first draft |
| Date: | 2021-05-22 23:29:45 |
| Message-ID: | 20210522232945.GO20766@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> I have committed the first draft of the PG 14 release notes. You can
> see the most current build of them here:
>
> https://momjian.us/pgsql_docs/release-14.html
It occurs to me that the wording around the new default roles could
probably be better. Specifically:
Add predefined roles pg_read_all_data and pg_write_all_data (Stephen Frost)
These non-login roles give read-only/write-only access to all objects.
Might be better as:
These non-login roles give read, or write, access to all tables, views,
and sequences.
(These roles don't actually allow, for example, a function to be
redefined, so saying 'all objects' isn't quite right either.)
While these roles could be used to create a 'read only' or 'write only'
role, they, themselves, do not explicitly convey that on to a role
because they don't do anything to prevent someone from GRANT'ing other
rights to some role which has been GRANT'd these predefined roles. I
don't think anyone on this list thought differently from that, but the
phrasing strikes me as potentially confusing.
Maybe another way would be:
These non-login roles give (only) read, or write, access to all tables,
views, and sequences.
but I don't think saying 'only' there really adds anything and instead
invites confusion.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2021-05-23 00:16:58 | Re: PG 14 release notes, first draft |
| Previous Message | Bruce Momjian | 2021-05-22 23:27:06 | Re: Development version of release notes |