> 14 марта 2019 г., в 12:56, Evgeniy Efimkin <efim...@yandex-team.ru>
> написал(а):
>
> Hi!
>> I view that as the first step towards building a more granular privilege
>> system for subscription creation, and that was the second half of what I
>> was trying to say before- I do think there's value in having something
>> more granular than just "this role can create ANY subscription". As an
>> administrator, I might be fine with subscriptions to system X, but not
>> to system Y, for example. As long as we don't block off the ability to
>> build something finer grained in the future, then having the system role
>> to allow a given role to do create subscription seems fine to me.
> Do you mean something like `CREATE SERVER` with privileges for each server,
> which using in CREATE SUBSCRIPTION, very similar way used in foreign data
> wrapper?
>
Let's summarize.
To create a subscription into table X user must:
1. be a superuser
2. Or (have role pg_subscription_users
3. and be allowed to write into the table X)
4. Condition 3 can be replaced\extended by "be owner of a the table X".
5. Condition 2 can be replaced\extended by "have privileges for some server
remote".
Which combination of authorization rules do we want?
IMHO 1,2,4 is sufficient.
Best regards, Andrey Borodin.
