> On May 13, 2021, at 12:18 PM, Jacob Champion <pchamp...@vmware.com> wrote:
>
> On Thu, 2021-05-13 at 11:42 -0700, Mark Dilger wrote:
>> The distinction that Theme+Security would make is that capabilities
>> can be categorized by the area of the system:
>> -- planner
>> -- replication
>> -- logging
>> ...
>> but also by the security implications of what is being done:
>> -- host
>> -- schema
>> -- network
> Since the "security" buckets are being used for both proposals -- how
> you would deal with overlap between them? When a GUC gives you enough
> host access to bleed into the schema and network domains, does it get
> all three attributes assigned to it, and thus require membership in all
> three roles?
Yeah, from a security standpoint, pg_host_admin basically gives everything
away. I doubt service providers would give the "host" or "network" security to
their tenants, but they would probably consider giving "schema" security to the
tenants.
> (Thanks, by the way, for this thread -- I think a "capability system"
> for superuser access is a great idea.)
I am happy to work on this, and appreciate feedback....
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
