| From: | Martín Marqués <martin(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Read access for pg_monitor to pg_replication_origin_status view |
| Date: | 2020-06-01 18:38:07 |
| Message-ID: | CAPdiE1ycTSR+2d2xQ5C1LGfooBaAv+ZAW1vGXq7bCB7wFfDzQA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
Took me a bit longer than expected, but here is a new version, now
with the idea of just removing the superuser() check and REVOKEing
execution of the functions from public. At the end I grant permission
to functions and the pg_replication_origin_status view.
I wonder now if I needed to GRANT execution of the functions. A grant
on the view should be enough.
I'll think about it.
El dom., 31 de may. de 2020 a la(s) 12:13, Martín Marqués
(martin(at)2ndquadrant(dot)com) escribió:
>
> Hi Michael,
>
> > Wouldn't it be just better to remove this hardcoded superuser check
> > and replace it with equivalent ACLs by default? The trick is to make
> > sure that any function calling replorigin_check_prerequisites() has
> > its execution correctly revoked from public. See for example
> > e79350fe.
>
> Looking at that, it seems a better solution. Let me wrap up a new
> patch, likely later today or early tomorrow as it's Sunday ;-)
>
> --
> Martín Marqués http://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Training & Services
--
Martín Marqués http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Access-to-pg_replication_origin_status-view-was-r.patch | text/x-patch | 4.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2020-06-01 19:11:04 | Re: Just for fun: Postgres 20? |
| Previous Message | Mark Dilger | 2020-06-01 17:07:26 | Re: Small code cleanup |