On Tue, Oct 12, 2021 at 8:33 PM Stephen Frost <sfr...@snowman.net> wrote: > Or not. I can see the argument that, because it just goes into the log, that > it doesn’t make sense to grant to a predefined role, since that role wouldn’t > be able to see the results even if it had access.
Yeah. I think we should really only use predefined roles where it's not practical to have people use GRANT/REVOKE. For instance, it makes sense to have pg_execute_server_program because there's no particular function (or other object) to which you could grant permissions at the SQL level to achieve the same results. And pg_read_all_stats doesn't just allow you to run more functions: it changes which fields those functions populate in the returned data, and which they mask out for security reasons. So, GRANT/REVOKE wouldn't do it in that case. But if there's one particular function that someone may or may not want a non-superuser to be able to execute, let's just let them do that. It doesn't need to be tied to a predefined role, and in fact it's more flexible if it isn't. -- Robert Haas EDB: http://www.enterprisedb.com
