Greg, * Greg Stark (st...@mit.edu) wrote: > On Tue, Jan 28, 2014 at 11:56 AM, Josh Berkus <j...@agliodbs.com> wrote: > > For example, I would really like to GRANT an unpriv user access to the > > WAL columns in pg_stat_replication so that I can monitor replication > > delay without granting superuser permissions. > > So you can do this now by defining a security definer function that > extracts precisely the information you need and grant execute access > to precisely the users you want. There was some concern upthread about > defining security definer functions being tricky but I'm not sure what > conclusion to draw from that argument.
Yeah, but that sucks if you want to build a generic monitoring system like check_postgres.pl. Telling users to grant certain privileges may work out, telling them to install these pl/pgsql things you write as security-definer-to-superuser isn't going to be nearly as easy when these users are (understandably, imv) uncomfortable having a monitor role have superusr privs. Thanks, Stephen
signature.asc
Description: Digital signature