Re: Special role for subscriptions
| От | Andrey Borodin |
|---|---|
| Тема | Re: Special role for subscriptions |
| Дата | |
| Msg-id | ABFEA12D-005C-4D14-AE1F-B83186AAFE24@yandex-team.ru обсуждение исходный текст |
| Ответ на | Re: Special role for subscriptions (Evgeniy Efimkin <efimkin@yandex-team.ru>) |
| Список | pgsql-hackers |
> 14 марта 2019 г., в 12:56, Evgeniy Efimkin <efimkin@yandex-team.ru> написал(а): > > Hi! >> I view that as the first step towards building a more granular privilege >> system for subscription creation, and that was the second half of what I >> was trying to say before- I do think there's value in having something >> more granular than just "this role can create ANY subscription". As an >> administrator, I might be fine with subscriptions to system X, but not >> to system Y, for example. As long as we don't block off the ability to >> build something finer grained in the future, then having the system role >> to allow a given role to do create subscription seems fine to me. > Do you mean something like `CREATE SERVER` with privileges for each server, which using in CREATE SUBSCRIPTION, very similarway used in foreign data wrapper? > Let's summarize. To create a subscription into table X user must: 1. be a superuser 2. Or (have role pg_subscription_users 3. and be allowed to write into the table X) 4. Condition 3 can be replaced\extended by "be owner of a the table X". 5. Condition 2 can be replaced\extended by "have privileges for some server remote". Which combination of authorization rules do we want? IMHO 1,2,4 is sufficient. Best regards, Andrey Borodin.
В списке pgsql-hackers по дате отправления: