Re: New default role- 'pg_read_all_data'
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Isaac Morland <isaac.morland@gmail.com>
Cc: Georgios Kokolatos <gkokolatos@protonmail.com>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>
Date: 2020-08-28T12:54:11Z
Lists: pgsql-hackers
Greetings, * Isaac Morland (isaac.morland@gmail.com) wrote: > On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfrost@snowman.net> wrote: > > This would simply REVOKE that role from the user. Privileges > > independently GRANT'd directly to the user wouldn't be affected. Nor > > would other role membership. > > > > > What privileges would the user be left with? Would it be possible to end > > up in the same privilege only with a GRANT command? > > What about: > > REVOKE SELECT ON [table] FROM pg_read_all_data; Wouldn't have any effect, and I think that's correct. > I guess what I’m really asking is whether pg_read_all_data is automatically > granted SELECT on all newly-created relations, or if the permission > checking system always returns TRUE when asked if pg_read_all_data can > select from a relation? I’m guessing it’s the latter so that it would be > ineffective to revoke select privilege as I think this is more useful, but > I’d like to be sure and the documentation should be explicit on this point. Yes, it's the latter. I'm not really sure about the documentation change you're contemplating- have a specific suggestion? Thanks, Stephen
Commits
-
docs: Add command tags for SQL commands
- 8f6c11034976 14.0 landed
- f01727290fe0 15.0 landed
-
Add pg_read_all_data and pg_write_all_data roles
- 6c3ffd697e22 14.0 landed