Re: New default role- 'pg_read_all_data'

Georgios <gkokolatos@protonmail.com>

From: Georgios Kokolatos <gkokolatos@protonmail.com>
To: pgsql-hackers@lists.postgresql.org
Cc: Stephen Frost <sfrost@snowman.net>
Date: 2020-08-28T12:16:36Z
Lists: pgsql-hackers
Thank you for the patch.

My high level review comment:
The patch seems to be implementing a useful and requested feature.
The patch applies cleanly and passes the basic regress tests. Also the commitfest bot is happy.

A first pass at the code, has not revealed any worthwhile comments.
Please allow me for a second and more thorough pass. The commitfest has hardly started after all.

Also allow me a series of genuine questions: 

What would the behaviour be with REVOKE?
In a sequence similar to:
GRANT ALL ON ...
REVOKE pg_read_all_data FROM ...
What privileges would the user be left with? Would it be possible to end up in the same privilege only with a GRANT command?
Does the above scenario even make sense?

Regards,

Commits

  1. docs: Add command tags for SQL commands

  2. Add pg_read_all_data and pg_write_all_data roles