Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-29 Thread Robert Haas
On Thu, Jan 29, 2015 at 4:09 PM, Jim Nasby jim.na...@bluetreble.com wrote: The difference between the autovacuum-run vacuum and the cron-run vacuum is that the one running out of cron will just keep holding the lock until it's actually able to truncate the end of the relation, no? I recall

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-29 Thread Jim Nasby
On 1/28/15 7:45 PM, Stephen Frost wrote: Jim, * Jim Nasby (jim.na...@bluetreble.com) wrote: On 12/23/14 12:52 PM, Stephen Frost wrote: Autovacuum can certainly run vacuum/analyze on a few tables every 12 hours, so I'm not really following where you see autovacuum being unable to cope. I

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-29 Thread Jim Nasby
On 1/29/15 4:02 PM, Robert Haas wrote: On Thu, Jan 29, 2015 at 4:09 PM, Jim Nasby jim.na...@bluetreble.com wrote: The difference between the autovacuum-run vacuum and the cron-run vacuum is that the one running out of cron will just keep holding the lock until it's actually able to truncate the

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-29 Thread Tom Lane
Jim Nasby jim.na...@bluetreble.com writes: On 1/29/15 4:02 PM, Robert Haas wrote: I don't think this is true, and I don't think it's been true for a long time, if ever. The difference between a manual vacuum and autovacuum is that autovacuum commits suicide when it conflicts with somebody

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-28 Thread Stephen Frost
Jim, * Jim Nasby (jim.na...@bluetreble.com) wrote: On 12/23/14 12:52 PM, Stephen Frost wrote: Autovacuum can certainly run vacuum/analyze on a few tables every 12 hours, so I'm not really following where you see autovacuum being unable to cope. I agree that there*are* such cases, but

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2015-01-26 Thread Jim Nasby
On 12/23/14 12:52 PM, Stephen Frost wrote: * José Luis Tallón (jltal...@adv-solutions.net) wrote: On 12/23/2014 05:29 PM, Stephen Frost wrote: The capabilities would be: * MAINTENANCE --- Ability to run VACUUM [ANALYZE | FREEZE] (but not VACUUM FULL), ANALYZE (including SET

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-25 Thread Robert Haas
On Tue, Dec 23, 2014 at 11:20 AM, José Luis Tallón jltal...@adv-solutions.net wrote: I've found myself needing two role capabilities? as of lately, when thinking about restricting some roles to the barely minimum allowed permissions needed to perform their duties ... as opposed to having a

[HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread José Luis Tallón
Hello, I've found myself needing two role capabilities? as of lately, when thinking about restricting some roles to the barely minimum allowed permissions needed to perform their duties ... as opposed to having a superuser role devoted to these task. The capabilities would be: *

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread Stephen Frost
* José Luis Tallón (jltal...@adv-solutions.net) wrote: I've found myself needing two role capabilities? as of lately, when thinking about restricting some roles to the barely minimum allowed permissions needed to perform their duties ... as opposed to having a superuser role devoted to

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread José Luis Tallón
On 12/23/2014 05:29 PM, Stephen Frost wrote: * José Luis Tallón (jltal...@adv-solutions.net) wrote: I've found myself needing two role capabilities? as of lately, when thinking about restricting some roles to the barely minimum allowed permissions needed to perform their duties ... as

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread David G Johnston
José Luis Tallón-2 wrote On 12/23/2014 05:29 PM, Stephen Frost wrote: * José Luis Tallón ( jltallon@ ) wrote: * IMPERSONATE --- Ability to do SET AUTHORIZATION TO some_role; and RESET AUTHORIZATION This might be further refined to provide a way to say This role is authorized to

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread José Luis Tallón
On 12/23/2014 07:01 PM, David G Johnston wrote: Hmm the current documentation states that: The specified role_name must be a role that the current session user is a member of. I can see use cases where making the login role a member of every other used role quickly becomes a burden, and

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread Stephen Frost
* José Luis Tallón (jltal...@adv-solutions.net) wrote: On 12/23/2014 05:29 PM, Stephen Frost wrote: The capabilities would be: * MAINTENANCE --- Ability to run VACUUM [ANALYZE | FREEZE] (but not VACUUM FULL), ANALYZE (including SET LOCAL statistics_target TO 1), There's

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread José Luis Tallón
On 12/23/2014 07:01 PM, David G Johnston wrote: [snip] So you want to say: GRANT IMPERSONATE TO bouncer; --covers the ALL requirement instead of GRANT victim1 TO bouncer; GRANT victim2 TO bouncer; etc... -- these would still be used to cover the limited users requirement ? |GRANT

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread Stephen Frost
* David G Johnston (david.g.johns...@gmail.com) wrote: I'd rather there be better, more user friendly, SQL-based APIs to the permissions system that would facilitate performing and reviewing grants. This would be *really* nice, I agree. I've heard tale of people writing functions that go

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread Stephen Frost
* José Luis Tallón (jltal...@adv-solutions.net) wrote: On 12/23/2014 07:01 PM, David G Johnston wrote: [snip] So you want to say: GRANT IMPERSONATE TO bouncer; --covers the ALL requirement instead of GRANT victim1 TO bouncer; GRANT victim2 TO bouncer; etc... -- these would still

Re: [HACKERS] Proposal: two new role attributes and/or capabilities?

2014-12-23 Thread José Luis Tallón
On 12/23/2014 07:52 PM, Stephen Frost wrote: [snip] Manually performing VACUUM / VACUUM ANALYZE on the (few) affected tables every 12h or so fixes the performance problem for the particular queries without impacting the other users too much --- the tables and indexes in question have been moved