| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Noah Misch <noah(at)leadboat(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2016-01-30 02:09:42 |
| Message-ID: | CAB7nPqSwm4_q2hAE3kN=j3Hoxhs6hYe5tj7M2dRSc3HU01v6Yg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jan 29, 2016 at 11:41 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Michael,
>
> * Michael Paquier (michael(dot)paquier(at)gmail(dot)com) wrote:
>> On Fri, Jan 29, 2016 at 6:37 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> >> On Thu, Jan 28, 2016 at 11:04 AM, Stephen Frost <sfrost(at)snowman(dot)net>
>> wrote:
>> >> > Personally, I don't have any particular issue having both, but the
>> >> > desire was stated that it would be better to have the regular
>> >> > GRANT EXECUTE ON catalog_func() working before we consider having
>> >> > default roles for same. That moves the goal posts awful far though, if
>> >> > we're to stick with that and consider how we might extend the GRANT
>> >> > system in the future.
>> >>
>> >> I don't think it moves the goal posts all that far. Convincing
>> >> pg_dump to dump grants on system functions shouldn't be a crazy large
>> >> patch.
>> >
>> > I wasn't clear as to what I was referring to here. I've already written
>> > a patch to pg_dump to support grants on system objects and agree that
>> > it's at least reasonable.
>>
>> Is it already posted somewhere? I don't recall seeing it. Robert and Noah
>> have a point that this would be useful for users who would like to dump
>> GRANT/REVOKE rights on system functions & all, using a new option in
>> pg_dumpall, say --with-system-acl or --with-system-privileges.
>
> Multiple versions were posted on this thread. I don't fault you for not
> finding it, this thread is a bit long in the tooth. The one I'm
> currently working from is:
>
> http://www.postgresql.org/message-id/attachment/38049/catalog_function_acls_v4.patch
>
> I'm going to split up the pg_dump changes and the backend changes, as
> they can logically go in independently (though without both, we're not
> moving the needle very far with regards to what administrators can do).
OK. Looks like a good way to move forward to me.
>> If at least
>> the three of you are agreeing here I think that we should try to move at
>> least toward this goal first. That seems a largely doable goal for 9.6. For
>> the set of default roles, there is clearly no clear consensus regarding
>> what each role should do or not, and under which limitation it should
>> operate.
>
> I'm trying to work towards a consensus on the default roles, hence the
> questions and discussion posed in the email you replied to.
So the current CF entry should be marked as returned with feedback
perhaps? What do you think? Once patches are ready for the default
roles in backend and for pg_dump, we could then work on reviewing them
separately.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2016-01-30 04:19:55 | Re: Fwd: Core dump with nested CREATE TEMP TABLE |
| Previous Message | Jim Nasby | 2016-01-29 23:37:32 | Re: Releasing in September |