Re: New predefined roles- 'pg_read/write_all_data'
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: "Shinoda, Noriyoshi (PN Japan FSIP)" <noriyoshi.shinoda@hpe.com>
Cc: Anastasia Lubennikova <a.lubennikova@postgrespro.ru>,
Michael Banck <michael.banck@credativ.de>, "gkokolatos@pm.me" <gkokolatos@pm.me>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>
Date: 2021-09-05T11:50:05Z
Lists: pgsql-hackers
Greetings, On Sun, Sep 5, 2021 at 07:43 Shinoda, Noriyoshi (PN Japan FSIP) < noriyoshi.shinoda@hpe.com> wrote: > I have tested this new feature with PostgreSQL 14 Beta 3 environment. > I created a user granted with pg_write_all_data role and executed UPDATE > and DELETE statements on tables owned by other users. > If there is no WHERE clause, it can be executed as expected, but if the > WHERE clause is specified, an error of permission denied will occur. > Is this the expected behavior? A WHERE clause requires SELECT rights on the table/columns referenced and if no SELECT rights were granted then a permission denied error is the correct result, yes. Note that pg_write_all_data, as documented, does not include SELECT rights. Thanks, Stephen
Commits
-
docs: Add command tags for SQL commands
- 8f6c11034976 14.0 landed
- f01727290fe0 15.0 landed
-
Add pg_read_all_data and pg_write_all_data roles
- 6c3ffd697e22 14.0 landed