Re: New default role- 'pg_read_all_data'
Isaac Morland <isaac.morland@gmail.com>
From: Isaac Morland <isaac.morland@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Georgios Kokolatos <gkokolatos@protonmail.com>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>
Date: 2020-08-28T12:51:06Z
Lists: pgsql-hackers
On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfrost@snowman.net> wrote: > This would simply REVOKE that role from the user. Privileges > independently GRANT'd directly to the user wouldn't be affected. Nor > would other role membership. > > > What privileges would the user be left with? Would it be possible to end > up in the same privilege only with a GRANT command? > What about: REVOKE SELECT ON [table] FROM pg_read_all_data; I guess what I’m really asking is whether pg_read_all_data is automatically granted SELECT on all newly-created relations, or if the permission checking system always returns TRUE when asked if pg_read_all_data can select from a relation? I’m guessing it’s the latter so that it would be ineffective to revoke select privilege as I think this is more useful, but I’d like to be sure and the documentation should be explicit on this point.
Commits
-
docs: Add command tags for SQL commands
- 8f6c11034976 14.0 landed
- f01727290fe0 15.0 landed
-
Add pg_read_all_data and pg_write_all_data roles
- 6c3ffd697e22 14.0 landed