Re: New default role- 'pg_read_all_data'
| От | Isaac Morland |
|---|---|
| Тема | Re: New default role- 'pg_read_all_data' |
| Дата | |
| Msg-id | CAMsGm5cOPjtzuS-Tp6PqovbH-YzSOp4gEx9OFqjpchqnF+GHnA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: New default role- 'pg_read_all_data' (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: New default role- 'pg_read_all_data'
|
| Список | pgsql-hackers |
On Fri, 28 Aug 2020 at 08:43, Stephen Frost <sfrost@snowman.net> wrote:
This would simply REVOKE that role from the user. Privileges
independently GRANT'd directly to the user wouldn't be affected. Nor
would other role membership.
> What privileges would the user be left with? Would it be possible to end up in the same privilege only with a GRANT command?
What about:
REVOKE SELECT ON [table] FROM pg_read_all_data;
I guess what I’m really asking is whether pg_read_all_data is automatically granted SELECT on all newly-created relations, or if the permission checking system always returns TRUE when asked if pg_read_all_data can select from a relation? I’m guessing it’s the latter so that it would be ineffective to revoke select privilege as I think this is more useful, but I’d like to be sure and the documentation should be explicit on this point.
В списке pgsql-hackers по дате отправления: