Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTO4Z-000TLR-3A for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 17:33:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vTO4Y-0009er-36 for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 17:33:55 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTO4Y-0009ei-1x for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 17:33:55 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTO4X-0000xC-0H for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 17:33:55 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 5BAHXnt8647282; Wed, 10 Dec 2025 12:33:49 -0500 From: Tom Lane To: "David G. Johnston" cc: richard coleman , Laurenz Albe , Pgsql-admin Subject: Re: database specific pg_read_all_data / pg_write_all_data In-reply-to: References: <72acf8ae4e56886081b9f632569f290d3246c33b.camel@cybertec.at> <8536f893e79693bd0a23d4cea7dbe0b6366378df.camel@cybertec.at> Comments: In-reply-to "David G. Johnston" message dated "Wed, 10 Dec 2025 07:25:29 -0700" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <647280.1765388029.1@sss.pgh.pa.us> Date: Wed, 10 Dec 2025 12:33:49 -0500 Message-ID: <647281.1765388029@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk "David G. Johnston" writes: > Fundamentally making group-role memberships per-database is a fundamental > change that seems quite unappealing to attempt without a solid use case > that it will enable. Yeah, I think this would be bad from both the intellectual-complexity and implementation-difficulty standpoints. However ... we've had multiple requests in the past to invent database-specific roles. I wonder if it'd suffice for Richard's purposes to create such roles and grant them pg_read_all_data. You can sort of do that today, in that you can muck with pg_hba.conf or database CONNECT privileges to limit which DBs a role can log into. But either answer works only at initial login; they don't constrain SET ROLE, so they're not really adequate for permissions-limiting purposes. I'm imagining a feature whereby a database-specific role is flat out not available in other databases; can't SET ROLE to it, can't GRANT privileges (at least on non-shared objects) to it. Probably role membership would still be nominally global, but it wouldn't matter if you couldn't use the role. This might still not pass the too-much-complexity test, but it has the advantage of being something that there's been multiple requests for. regards, tom lane