From: | Andrey Borodin <x4mmm(at)yandex-team(dot)ru> |
---|---|
To: | Evgeniy Efimkin <efimkin(at)yandex-team(dot)ru> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Jeff Davis <pgsql(at)j-davis(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Дмитрий Сарафанников <dsarafan(at)yandex-team(dot)ru>, Владимир Бородин <root(at)simply(dot)name> |
Subject: | Re: Special role for subscriptions |
Date: | 2019-03-14 09:19:05 |
Message-ID: | ABFEA12D-005C-4D14-AE1F-B83186AAFE24@yandex-team.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> 14 марта 2019 г., в 12:56, Evgeniy Efimkin <efimkin(at)yandex-team(dot)ru> написал(а):
>
> Hi!
>> I view that as the first step towards building a more granular privilege
>> system for subscription creation, and that was the second half of what I
>> was trying to say before- I do think there's value in having something
>> more granular than just "this role can create ANY subscription". As an
>> administrator, I might be fine with subscriptions to system X, but not
>> to system Y, for example. As long as we don't block off the ability to
>> build something finer grained in the future, then having the system role
>> to allow a given role to do create subscription seems fine to me.
> Do you mean something like `CREATE SERVER` with privileges for each server, which using in CREATE SUBSCRIPTION, very similar way used in foreign data wrapper?
>
Let's summarize.
To create a subscription into table X user must:
1. be a superuser
2. Or (have role pg_subscription_users
3. and be allowed to write into the table X)
4. Condition 3 can be replaced\extended by "be owner of a the table X".
5. Condition 2 can be replaced\extended by "have privileges for some server remote".
Which combination of authorization rules do we want?
IMHO 1,2,4 is sufficient.
Best regards, Andrey Borodin.
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2019-03-14 09:20:31 | Re: Making all nbtree entries unique by having heap TIDs participate in comparisons |
Previous Message | Alexander Korotkov | 2019-03-14 09:07:13 | Re: jsonpath |