| From: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
|---|---|
| To: | Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru> |
| Cc: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Q: GRANT ... WITH ADMIN on PG 17 |
| Date: | 2025-08-25 12:38:02 |
| Message-ID: | CAFCRh--J96OtjyH8ow5bosKy9J7jqQw-gupYhHhP9QTLK-XwaQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Aug 25, 2025 at 2:22 PM Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru> wrote:
>> On 22.08.2025 11:40, Laurenz Albe wrote:
>> Yes, that should work as follows: [...]
> [...] A safer option is to use security definer function to grant membership
FWIW, it's basically what I did.
My primary "admin" application role lost CREATEROLE,
and instead gained EXECUTE on security-definer procs
from a new lower-level role (with CREATEROLE),
in a new separate schema, which does all create/drop
roles or grant/revoke DDLs.
Which has the added benefits to enforce naming conventions for roles,
to enforce grants are only between our "per-DB" roles,
and made it easy to generate an audit-log for all those DDLs.
So the v16 ROLE changes created a BIG MESS for us,
slowing us down quite a bit, but we ended up with a much
better "v2" architecture, so it was not all a loss... YMMV.
So +1 to Pavel. --DD
| From | Date | Subject | |
|---|---|---|---|
| Next Message | hubert depesz lubaczewski | 2025-08-25 12:44:12 | Re: Streaming replica hangs periodically for ~ 1 second - how to diagnose/debug |
| Previous Message | Pavel Luzanov | 2025-08-25 12:21:47 | Re: Q: GRANT ... WITH ADMIN on PG 17 |