Re: New default role- 'pg_read_all_data'

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Georgios Kokolatos <gkokolatos@protonmail.com>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2020-08-28T12:43:03Z
Lists: pgsql-hackers
Greetings,

* Georgios Kokolatos (gkokolatos@protonmail.com) wrote:
> The patch seems to be implementing a useful and requested feature.
> The patch applies cleanly and passes the basic regress tests. Also the commitfest bot is happy.
> 
> A first pass at the code, has not revealed any worthwhile comments.
> Please allow me for a second and more thorough pass. The commitfest has hardly started after all.

Great, thanks!

> Also allow me a series of genuine questions: 
> 
> What would the behaviour be with REVOKE?
> In a sequence similar to:
> GRANT ALL ON ...

GRANT ALL would be independently GRANT'ing rights to some role and
therefore unrelated.

> REVOKE pg_read_all_data FROM ...

This would simply REVOKE that role from the user.  Privileges
independently GRANT'd directly to the user wouldn't be affected.  Nor
would other role membership.

> What privileges would the user be left with? Would it be possible to end up in the same privilege only with a GRANT command?

I'm not sure what's being asked here.

> Does the above scenario even make sense?

I definitely believe it makes sense for a given role/user to be a member
of pg_read_all_data and to be a member of other roles, or to have other
privileges GRANT'd directly to them.

Thanks,

Stephen

Commits

  1. docs: Add command tags for SQL commands

  2. Add pg_read_all_data and pg_write_all_data roles