| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: PG 14 release notes, first draft |
| Date: | 2021-05-23 00:16:58 |
| Message-ID: | 20210523001658.GK8971@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, May 22, 2021 at 07:29:45PM -0400, Stephen Frost wrote:
> Greetings,
>
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > I have committed the first draft of the PG 14 release notes. You can
> > see the most current build of them here:
> >
> > https://momjian.us/pgsql_docs/release-14.html
>
> It occurs to me that the wording around the new default roles could
> probably be better. Specifically:
>
> Add predefined roles pg_read_all_data and pg_write_all_data (Stephen Frost)
>
> These non-login roles give read-only/write-only access to all objects.
>
> Might be better as:
>
> These non-login roles give read, or write, access to all tables, views,
> and sequences.
>
> (These roles don't actually allow, for example, a function to be
> redefined, so saying 'all objects' isn't quite right either.)
>
> While these roles could be used to create a 'read only' or 'write only'
> role, they, themselves, do not explicitly convey that on to a role
> because they don't do anything to prevent someone from GRANT'ing other
> rights to some role which has been GRANT'd these predefined roles. I
> don't think anyone on this list thought differently from that, but the
> phrasing strikes me as potentially confusing.
>
> Maybe another way would be:
>
> These non-login roles give (only) read, or write, access to all tables,
> views, and sequences.
>
> but I don't think saying 'only' there really adds anything and instead
> invites confusion.
OK, I went with this text:
<listitem>
<!--
Author: Stephen Frost <sfrost(at)snowman(dot)net>
2021-04-05 [6c3ffd697] Add pg_read_all_data and pg_write_all_data roles
-->
<para>
Add predefined roles <link
linkend="predefined-roles"><structname>pg_read_all_data</structname></link>
and <structname>pg_write_all_data</structname> (Stephen Frost)
</para>
<para>
These non-login roles can be used to give read or write permission to
all tables, views, and sequences.
</para>
</listitem>
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-05-23 01:28:20 | Re: Subscription tests fail under CLOBBER_CACHE_ALWAYS |
| Previous Message | Stephen Frost | 2021-05-22 23:29:45 | Re: PG 14 release notes, first draft |