database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

Add pg_read_all_data and pg_write_all_data roles

Browse Source 
A commonly requested use-case is to have a role who can run an
unfettered pg_dump without having to explicitly GRANT that user access
to all tables, schemas, et al, without that role being a superuser.
This address that by adding a "pg_read_all_data" role which implicitly
gives any member of this role SELECT rights on all tables, views and
sequences, and USAGE rights on all schemas.

As there may be cases where it's also useful to have a role who has
write access to all objects, pg_write_all_data is also introduced and
gives users implicit INSERT, UPDATE and DELETE rights on all tables,
views and sequences.

These roles can not be logged into directly but instead should be
GRANT'd to a role which is able to log in.  As noted in the
documentation, if RLS is being used then an administrator may (or may
not) wish to set BYPASSRLS on the login role which these predefined
roles are GRANT'd to.

Reviewed-by: Georgios Kokolatos
Discussion: https://postgr.es/m/20200828003023.GU29590@tamriel.snowman.net
This commit is contained in:
Stephen Frost
2021-04-05 13:42:52 -04:00
parent ad8b674922
commit 6c3ffd697e
6 changed files with 129 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
doc/src/sgml/user-manag.sgml
View File

@ -518,6 +518,24 @@ DROP ROLE doomed_role;
</row>
</thead>
<tbody>
<row>
<entry>pg_read_all_data</entry>
<entry>Read all data (tables, views, sequences), as if having SELECT
rights on those objects, and USAGE rights on all schemas, even without
having it explicitly. This role does not have the role attribute
<literal>BYPASSRLS</literal> set. If RLS is being used, an administrator
may wish to set <literal>BYPASSRLS</literal> on roles which this role is
GRANTed to.</entry>
</row>
<row>
<entry>pg_write_all_data</entry>
<entry>Write all data (tables, views, sequences), as if having INSERT,
UPDATE, and DELETE rights on those objects, and USAGE rights on all
schemas, even without having it explicitly. This role does not have the
role attribute <literal>BYPASSRLS</literal> set. If RLS is being used,
an administrator may wish to set <literal>BYPASSRLS</literal> on roles
which this role is GRANTed to.</entry>
</row>
<row>
<entry>pg_read_all_settings</entry>
<entry>Read all configuration variables, even those normally visible only to