| From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
|---|---|
| To: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Subject: | Re: Non-superuser subscription owners |
| Date: | 2021-11-17 17:33:24 |
| Message-ID: | b6f6ed921b6e219875801857204b14bbc8782e5e.camel@j-davis.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2021-11-17 at 07:44 -0800, Mark Dilger wrote:
> Administrators may quite
> intentionally create low-power users, ones without access to anything
> but a single table, or a single schema, as a means of restricting the
> damage that a subscription might do (or more precisely, what the
> publisher might do via the subscription.) It would be surprising if
> that low-power user was then able to recreate the subscription into
> something different.
I am still trying to understand this use case. It doesn't feel like
"ownership" to me, it feels more like some kind of delegation.
Is GRANT a better fit here? That would allow more than one user to
REFRESH, or ENABLE/DISABLE the same subscription. It wouldn't allow
RENAME, but I don't see why we'd separate privileges for
CREATE/DROP/RENAME anyway.
This would not address the weirdness of the existing code where a
superuser loses their superuser privileges but still owns a
subscription. But perhaps we can solve that a different way, like just
performing a check when someone loses their superuser privileges that
they don't own any subscriptions.
Regards,
Jeff Davis
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Dilger | 2021-11-17 18:25:50 | Re: Non-superuser subscription owners |
| Previous Message | Mark Dilger | 2021-11-17 17:12:06 | Re: Granting SET and ALTER SYSTE privileges for GUCs |