Re: predefined role(s) for VACUUM and ANALYZE

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2022-07-25T16:40:49Z
Lists: pgsql-hackers
On Mon, Jul 25, 2022 at 12:58:36PM +0530, Bharath Rupireddy wrote:
> Thanks. I'm personally happy with more granular levels of control (as
> we don't have to give full superuser access to just run a few commands
> or maintenance operations) for various postgres commands. The only
> concern is that we might eventually end up with many predefined roles
> (perhaps one predefined role per command), spreading all around the
> code base and it might be difficult for the users to digest all of the
> roles in. It will be great if we can have some sort of rules or
> methods to define a separate role for a command.

Yeah, in the future, I could see this growing to a couple dozen predefined
roles.  Given they are relatively inexpensive and there are already 12 of
them, I'm personally not too worried about the list becoming too unwieldy.
Another way to help users might be to create additional aggregate
predefined roles (like pg_monitor) for common combinations.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



Commits

  1. Provide non-superuser predefined roles for vacuum and analyze

  2. Provide per-table permissions for vacuum and analyze.

  3. Expand AclMode to 64 bits

  4. Simplify WARNING messages from skipped vacuum/analyze on a table

  5. Allow granting SET and ALTER SYSTEM privileges on GUC parameters.

  6. Add String object access hooks