* Robert Haas (robertmh...@gmail.com) wrote: > On Mon, Jan 26, 2015 at 1:59 PM, Andres Freund <and...@2ndquadrant.com> wrote: > > On 2015-01-26 13:47:02 -0500, Stephen Frost wrote: > >> Right. We already have a role attribute which allows pg_basebackup > >> (replication). Also, with pg_basebackup / rolreplication, your role > >> is able to read the entire data directory from the server, that's not > >> the case with only rights to run pg_start/stop_backup. > >> > >> In conjunction with enterprise backup solutions and SANs, which offer > >> similar controls where a generally unprivileged user can have a snapshot > >> of the system taken through the SAN interface, you can give users the > >> ability to run ad-hoc backups of the cluster without giving them > >> superuser-level access or replication-level access. > > > > I'm sorry if this has already been discussed, but the thread is awfully > > long already. But what's actually the point of having a separate > > EXCLUSIVEBACKUP permission? Using it still requires full file system > > access to the data directory, so the additional permissions granted by > > replication aren't really relevant. > > That's not necessarily true. You could be able to run a command like > "san_snapshot $PGDATA" without necessarily having the permissions to > inspect the contents of the resulting snapshot. Of course somebody > should be doing that, but in accord with the principle of least > privilege, there's no reason that the account running the unattended > backup needs to have those rights.
Right! You explained it more clearly than I did.
Thanks!
Stephen
signature.asc
Description: Digital signature
