On 3/29/17 19:01, Petr Jelinek wrote:
>> So this CREATE SUBSCRIPTION priv actually gives you the power to cause
>> the system to open network connections to the outside world. It's not
>> something you give freely to random strangers -- should be guarded
>> moderately tight, because it could be
On 29/03/17 20:55, Alvaro Herrera wrote:
> Peter Eisentraut wrote:
>> On 3/15/17 21:54, Peter Eisentraut wrote:
>
>>> 0004 Add subscription apply worker privilege checks
>>> 0005 Add CREATE SUBSCRIPTION privilege on databases
>>
>> It would be nice to reach a conclusion on these (the second one
Peter Eisentraut wrote:
> On 3/15/17 21:54, Peter Eisentraut wrote:
> > 0004 Add subscription apply worker privilege checks
> > 0005 Add CREATE SUBSCRIPTION privilege on databases
>
> It would be nice to reach a conclusion on these (the second one
> particularly), because otherwise we'll be
On 3/15/17 21:54, Peter Eisentraut wrote:
> 0001 Refine rules for altering publication owner
> 0002 Change logical replication pg_hba.conf use
These two were committed.
> 0003 Add USAGE privilege for publications
I'm withdrawing this one for now, because of some issues that were
discussed in
On 3/22/17 08:12, Petr Jelinek wrote:
> On 22/03/17 03:38, Peter Eisentraut wrote:
>> On 3/20/17 15:10, Petr Jelinek wrote:
>>> Hmm but REPLICATION role can do basebackup/consume wal, so how does
>>> giving it limited publication access help? Wouldn't we need some
>>> SUBSCRIPTION role/grant used
On 3/18/17 09:31, Petr Jelinek wrote:
>> 0001 Refine rules for altering publication owner
>>
>> kind of a bug fix
>
> Agreed, this can be committed as is.
>
>>
>> 0002 Change logical replication pg_hba.conf use
>>
>> This was touched upon in the discussion at
>>
On 22/03/17 03:38, Peter Eisentraut wrote:
> On 3/20/17 15:10, Petr Jelinek wrote:
>> Hmm but REPLICATION role can do basebackup/consume wal, so how does
>> giving it limited publication access help? Wouldn't we need some
>> SUBSCRIPTION role/grant used instead for logical replication connections
On 3/20/17 15:10, Petr Jelinek wrote:
> Hmm but REPLICATION role can do basebackup/consume wal, so how does
> giving it limited publication access help? Wouldn't we need some
> SUBSCRIPTION role/grant used instead for logical replication connections
> instead of REPLICATION for this to make sense?
On 20/03/17 13:32, Peter Eisentraut wrote:
> On 3/18/17 09:31, Petr Jelinek wrote:
>>> 0003 Add USAGE privilege for publications
>>>
>>> a way to control who can subscribe to a publication
>>>
>> Hmm IIUC this removes ability of REPLICATION role to subscribe to
>> publications. I am not quite sure
On 3/18/17 09:31, Petr Jelinek wrote:
>> 0003 Add USAGE privilege for publications
>>
>> a way to control who can subscribe to a publication
>>
> Hmm IIUC this removes ability of REPLICATION role to subscribe to
> publications. I am not quite sure I like that.
Well, this is kind of the way with
Hi,
I went over this patch set, don't really have all that much to say
except it looks good for the most part (details inline).
On 16/03/17 02:54, Peter Eisentraut wrote:
> New patch set based on the discussions. I have dropped the PUBLICATION
> privilege patch. The patches are also reordered
New patch set based on the discussions. I have dropped the PUBLICATION
privilege patch. The patches are also reordered a bit in approximate
decreasing priority order.
0001 Refine rules for altering publication owner
kind of a bug fix
0002 Change logical replication pg_hba.conf use
This was
On 3/14/17 14:49, Petr Jelinek wrote:
> Not what I mean - owner should be able to publish table. If you are
> granted role of the owner you can do what owner can no?
I didn't actually know that ownership worked that way. You can grant
the role of an owner to someone, and then that someone has
On 3/14/17 15:37, Petr Jelinek wrote:
> Yeah that's rather hard to say in front. Maybe safest action would be to
> give the permission to owners in 10 and revisit special privilege in 11
> based on feedback?
I'm fine with that.
--
Peter Eisentraut http://www.2ndQuadrant.com/
On 3/14/17 15:05, Stephen Frost wrote:
> Another approach to solving my concern would be to only allow the
> publishing of tables by non-owner users who have table-level SELECT
> rights
An early version of the logical replication patch set did that. But the
problem is that this way someone with
On Tue, Mar 14, 2017 at 3:37 PM, Petr Jelinek
wrote:
> On 14/03/17 20:09, Robert Haas wrote:
>> On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek
>> wrote:
>>> Note that I am not necessarily saying it's better though, just trying to
>>>
On 14/03/17 20:09, Robert Haas wrote:
> On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek
> wrote:
>> Note that I am not necessarily saying it's better though, just trying to
>> explain. It definitely has drawbacks, as in order to grant publish on
>> one table you might
Greetings,
* Robert Haas (robertmh...@gmail.com) wrote:
> However, what I'm not clear about is whether this is a situation
> that's likely to come up much in practice. I would have thought that
> publications and subscriptions would typically be configured by roles
> with quite high levels of
On Tue, Mar 14, 2017 at 2:56 PM, Petr Jelinek
wrote:
> Note that I am not necessarily saying it's better though, just trying to
> explain. It definitely has drawbacks, as in order to grant publish on
> one table you might be granting lots of privileges on various
Greetings,
* Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote:
> On 14/03/17 19:47, Robert Haas wrote:
> > On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek
> > wrote:
> >> My understanding of what Shephen is proposing is, you have "ownerA" of
> >> tableA and "ownerB"
On 14/03/17 19:49, Petr Jelinek wrote:
> On 14/03/17 19:47, Robert Haas wrote:
>> On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek
>> wrote:
>>> My understanding of what Shephen is proposing is, you have "ownerA" of
>>> tableA and "ownerB" of tableB, then you want role
On 14/03/17 19:47, Robert Haas wrote:
> On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek
> wrote:
>> My understanding of what Shephen is proposing is, you have "ownerA" of
>> tableA and "ownerB" of tableB, then you want role "publishe"r to be able
>> to publish those,
On Tue, Mar 14, 2017 at 2:41 PM, Petr Jelinek
wrote:
> My understanding of what Shephen is proposing is, you have "ownerA" of
> tableA and "ownerB" of tableB, then you want role "publishe"r to be able
> to publish those, so you simply grant it the "ownerA" and
On 10/03/17 20:02, Peter Eisentraut wrote:
> On 2/27/17 22:10, Stephen Frost wrote:
>> Peter,
>>
>> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
>>> On 2/18/17 18:06, Stephen Frost wrote:
I'm not convinced that it really makes sense to have PUBLICATION of a
table be
On 3/3/17 10:07, Stephen Frost wrote:
> Will users really understand that the PUBLISH right actually allows
> complete access to the entire relation, rather than just the ability for
> a user to PUBLISH what they are currently about to SELECT? It certainly
> doesn't seem intuitive to me, which is
On 2/27/17 22:10, Stephen Frost wrote:
> Peter,
>
> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
>> On 2/18/17 18:06, Stephen Frost wrote:
>>> I'm not convinced that it really makes sense to have PUBLICATION of a
>>> table be independent from the rights an owner of a table has.
* Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote:
> On 28/02/17 04:10, Stephen Frost wrote:
> > Peter,
> >
> > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
> >> On 2/18/17 18:06, Stephen Frost wrote:
> >>> I'm not convinced that it really makes sense to have PUBLICATION of a
>
On 28/02/17 04:10, Stephen Frost wrote:
> Peter,
>
> * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
>> On 2/18/17 18:06, Stephen Frost wrote:
>>> I'm not convinced that it really makes sense to have PUBLICATION of a
>>> table be independent from the rights an owner of a table has.
Peter,
* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
> On 2/18/17 18:06, Stephen Frost wrote:
> > I'm not convinced that it really makes sense to have PUBLICATION of a
> > table be independent from the rights an owner of a table has. We don't
> > allow other ALTER commands on
On 2/18/17 18:06, Stephen Frost wrote:
> I'm not convinced that it really makes sense to have PUBLICATION of a
> table be independent from the rights an owner of a table has. We don't
> allow other ALTER commands on objects based on GRANT'able rights, in
> general, so I'm not really sure that it
Peter,
* Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote:
> 0002 Add PUBLICATION privilege
>
> Add a new privilege kind to tables to determine whether they can be
> added to a publication.
I'm not convinced that it really makes sense to have PUBLICATION of a
table be independent from
Here is a patch set to refine various access control settings in logical
replication. Currently, you need to be replication or superuser for
most things, and the goal of these patches is to allow ordinary users
equipped with explicit privileges to do most things. (Btw., current
documentation is
32 matches
Mail list logo