| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Noah Misch <noah(at)leadboat(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2016-01-29 05:14:49 |
| Message-ID: | CAB7nPqTWEgQxpQyXTXTp4XkRtvRWYF-Z+N0kK-Qsb-MTSCYPrg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jan 29, 2016 at 6:37 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> On Thu, Jan 28, 2016 at 11:04 AM, Stephen Frost <sfrost(at)snowman(dot)net>
wrote:
>> > Personally, I don't have any particular issue having both, but the
>> > desire was stated that it would be better to have the regular
>> > GRANT EXECUTE ON catalog_func() working before we consider having
>> > default roles for same. That moves the goal posts awful far though, if
>> > we're to stick with that and consider how we might extend the GRANT
>> > system in the future.
>>
>> I don't think it moves the goal posts all that far. Convincing
>> pg_dump to dump grants on system functions shouldn't be a crazy large
>> patch.
>
> I wasn't clear as to what I was referring to here. I've already written
> a patch to pg_dump to support grants on system objects and agree that
> it's at least reasonable.
Is it already posted somewhere? I don't recall seeing it. Robert and Noah
have a point that this would be useful for users who would like to dump
GRANT/REVOKE rights on system functions & all, using a new option in
pg_dumpall, say --with-system-acl or --with-system-privileges. If at least
the three of you are agreeing here I think that we should try to move at
least toward this goal first. That seems a largely doable goal for 9.6. For
the set of default roles, there is clearly no clear consensus regarding
what each role should do or not, and under which limitation it should
operate.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2016-01-29 06:24:52 | Re: insufficient qualification of some objects in dump files |
| Previous Message | Kouhei Kaigai | 2016-01-29 04:26:30 | Re: CustomScan in a larger structure (RE: CustomScan support on readfuncs.c) |