Re: Special role for subscriptions

> 21 марта 2019 г., в 8:56, Michael Paquier <michael(at)paquier(dot)xyz> написал(а):
>
> On Wed, Mar 20, 2019 at 11:58:04PM +0800, Andrey Borodin wrote:
>>> 20 марта 2019 г., в 21:46, Robert Haas <robertmhaas(at)gmail(dot)com> написал(а):
>>> I think we should view this permission as "you can create
>>> subscriptions, plain and simple".
>>
>> That sounds good.
>> From my POV, the purpose of the patch is to allow users to transfer
>> their database via logical replication. Without superuser privileges
>> (e.g. to the managed cloud with vanilla postgres).
>
> A system role to be able to create subscriptions is perhaps a too big
> hammer as that would apply to all databases of a system, still we may
> be able to live with that.
>
> Perhaps we would want something at database level different from GRANT
> CREATE ON DATABASE, but only for subscriptions? This way, it is
> possible to have per-database groups having the right to create
> subscriptions, and I'd like to think that we should not include
> subcription creation into the existing CREATE rights. It would be
> kind of funny to not have CREATE include the creation of this specific
> object though :)

I think that small granularity can lead to unnecessary multiplication of subscription. User need to have sufficient minimum number of subscriptions, like they have 1 incoming WAL.
If we have per-database permission management, user will decide that it is a good thing to divide one subscription to per-database subscriptions.

Best regards, Andrey Borodin.