Re: New predefined roles- 'pg_read/write_all_data'

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: "Shinoda, Noriyoshi (PN Japan FSIP)" <noriyoshi.shinoda@hpe.com>
Cc: Anastasia Lubennikova <a.lubennikova@postgrespro.ru>, Michael Banck <michael.banck@credativ.de>, "gkokolatos@pm.me" <gkokolatos@pm.me>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2021-09-05T11:50:05Z
Lists: pgsql-hackers
Greetings,

On Sun, Sep 5, 2021 at 07:43 Shinoda, Noriyoshi (PN Japan FSIP) <
noriyoshi.shinoda@hpe.com> wrote:

> I have tested this new feature with PostgreSQL 14 Beta 3 environment.
> I created a user granted with pg_write_all_data role and executed UPDATE
> and DELETE statements on tables owned by other users.
> If there is no WHERE clause, it can be executed as expected, but if the
> WHERE clause is specified, an error of permission denied will occur.
> Is this the expected behavior?


A WHERE clause requires SELECT rights on the table/columns referenced and
if no SELECT rights were granted then a permission denied error is the
correct result, yes. Note that pg_write_all_data, as documented, does not
include SELECT rights.

Thanks,

Stephen

Commits

  1. docs: Add command tags for SQL commands

  2. Add pg_read_all_data and pg_write_all_data roles