Re: predefined role(s) for VACUUM and ANALYZE

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>
Cc: Andrew Dunstan <andrew@dunslane.net>, Corey Huinker <corey.huinker@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Stephen Frost <sfrost@snowman.net>, Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>, "David G. Johnston" <david.g.johnston@gmail.com>, Kyotaro Horiguchi <horikyota.ntt@gmail.com>, Michael Paquier <michael@paquier.xyz>, Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-12-06T19:51:08Z
Lists: pgsql-hackers
On Tue, Dec 06, 2022 at 11:47:50AM +0000, Dagfinn Ilmari Mannsåker wrote:
> These checks are getting rather repetitive, how about a data-driven
> approach, along the lines of the below patch?  I'm not quite happy with
> the naming of the struct and its members (and maybe it should be in a
> header?), suggestions welcome.

+1.  I wonder if we should also consider checking all the bits at once
before we start checking for the predefined roles.  I'm thinking of
something a bit like this:

	role_mask = ACL_SELECT | ACL_INSERT | ACL_UPDATE |
				ACL_DELETE | ACL_VACUUM | ACL_ANALYZE;

	if (mask & role_mask != result & role_mask)
	{
		... existing checks here ...
	}

I'm skeptical this actually produces any measurable benefit, but presumably
the predefined roles list will continue to grow, so maybe it's still worth
adding a fast path.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



Commits

  1. Provide non-superuser predefined roles for vacuum and analyze

  2. Provide per-table permissions for vacuum and analyze.

  3. Expand AclMode to 64 bits

  4. Simplify WARNING messages from skipped vacuum/analyze on a table

  5. Allow granting SET and ALTER SYSTEM privileges on GUC parameters.

  6. Add String object access hooks