> adrian.kla...@aklaver.com wrote: > >> karsten.hilb...@gmx.net: >> >>> adrian.kla...@aklaver.com wrote: >>> >>>> b...@yugabyte.com >>>> >>>> Thanks to all who offered their views on my question. It seems that >>>> different people will reach different conclusions. I’ll take this as >>>> permission to reach my own conclusion. >>> >>> Not sure why you think you need permission to take whatever action you >>> desire on a database whose only usage stipulation is that you maintain a >>> copy of the license. >> >> Adrian, I think Bryn's speaking metaphorically there. > > It is hard to tell with him. He makes much of his Oracle background and I > think misses an overlord that lays down the rules.
I didn’t mean to speak metaphorically. But I made a bad word choice when I used “permission”. A couple of turns back, David Johnston wrote this: > there is no good blanket recommendation to give to someone else as to how > their [security] policy should be written. Security, especially of this > sort, needs to be architected. And some time ago, in a different thread, he wrote this: > You only need superuser once to configure the system in such a way, through > role and grants and possibly default permissions, that from then on most > everything an application user would want to do can be done by the role(s) > you have created. That second quote reads like a recommendation—which puts it at odds with the first quote. (But doubtless I’m reading it wrongly.) Then there’s this (from the doc): > It is good practice to create a role that has the CREATEDB and CREATEROLE > privileges, but is not a superuser, and then use this role for all routine > management of databases and roles. This approach avoids the dangers of > operating as a superuser for tasks that do not really require it. That, too, reads like a recommendation that intends to inform a security policy. But, I suppose, one could argue that saying something “is good practice” is very different from making a recommendation. Consider this wording. It also uses “good practice”. « It is good practice to limit the number of superuser roles that exist in a cluster to exactly one: the inevitable bootstrap superuser. This recognizes the fact that, once the initial configuration of a cluster has been done immediately after its creation (which configuration is done while still in self-imposed single-user mode), there are then very few, and infrequent, tasks that require the power of the superuser role. » Nobody supports it! I’m puzzled why the good practice statement about a role with the CREATEDB and CREATEROLE attributes earns a place in the doc while nobody at all is prepared to make a practice statement about how many superusers is good. I’d like very much to understand the critical parts that I’m missing of the essential mental model in this general space.