Re: Add default role 'pg_access_server_files'

Ryan Murphy <ryanfmurphy@gmail.com>

From: Ryan Murphy <ryanfmurphy@gmail.com>
To: pgsql-hackers@postgresql.org
Cc: Stephen Frost <sfrost@snowman.net>
Date: 2018-01-07T07:17:24Z
Lists: pgsql-hackers
The following review has been posted through the commitfest application:
make installcheck-world:  tested, passed
Implements feature:       tested, passed
Spec compliant:           not tested
Documentation:            tested, passed

I ran make installcheck-world and all tests passed except one that is a known issue with the way I have my environment setup (ecpg tests unrelated to this patch).

Manual tests I ran to see if it Implements the Feature:

1) confirmed that superuser can call pg_read_file() to read files in or out of data directory
2) confirmed that "tester" can call pg_read_file() only if given EXECUTE privilege
3) confirmed that "tester" can only call pg_read_file() on a file OUTSIDE of the data directory iff I "grant pg_access_server_files to tester;"

Documentation seems reasonable.

I believe this patch to be Ready for Committer.

The new status of this patch is: Ready for Committer

Commits

  1. Add default roles for file/program access

  2. Remove explicit superuser checks in favor of ACLs

  3. Support new default roles with adminpack