Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTJxP-00H6LC-1c for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 13:10:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vTJxN-00BIam-32 for pgsql-admin@arkaria.postgresql.org; Wed, 10 Dec 2025 13:10:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTJxN-00BIad-1j for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 13:10:13 +0000 Received: from mail-ej1-x62a.google.com ([2a00:1450:4864:20::62a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vTJxL-004GVa-2Q for pgsql-admin@lists.postgresql.org; Wed, 10 Dec 2025 13:10:13 +0000 Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-b7277324204so1249696366b.0 for ; Wed, 10 Dec 2025 05:10:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec.at; s=google; t=1765372210; x=1765977010; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=8KavQSndRLi5XeIkxO4ShYC8sVsshYvXyV3o4LN6ew8=; b=kWsKUCcBwanHlevcbYCv1VB2l7sAIYv/oJnIZyFeLtRkJfQ4CI+idLA06Ege23DYUf WydtT35ARnanJ4Qzs9mycYPIaG+cm3wRR757N08Y4f0AxXS02/jQ5SFsB2pCrTHhdLSP LfYm91LDsIxJxSRYqlfLrcw8tfQIia3h+0CnYI69MUwlPUAN9mEx4slGInCtjdz7SG6M bBzFgQ+mLOYE/us7ijiFb1yuDHU2U26cFfT+DKunGSNfXnvNdzEQ3CpuRcvETGLadQCV UpsKEcsdSk5GPLR5Tyj5PylV7AYBb/kVg+KR7Fkl8tGSNpb7MNf5JuSfiaurL2CvOXuM GaDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765372210; x=1765977010; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8KavQSndRLi5XeIkxO4ShYC8sVsshYvXyV3o4LN6ew8=; b=P2xqPmWwp9ESiPtlRRN8AN4Af7gN8YoQx0Hcebd2EYj/EObP5afwzCbZFxevIyGO5D HrcsSz+CzGQDmNGWWa9cvqzQFSeTJ566KhXsrFbAbPn0IbXjDn6xUIZBVORlSDB0ftf2 B5iCLLkfYeJHQKcwqaKHerOBvVwAV7rJYtEzsAYjkcMRq/w2NjdAi09wXm9FrjGMWLpr P5QXVloYQPz6lXqMOev8gS5yVP7PlTmzwTDtHtP6LiXHev5pwijAYgyw7ckm/m3+tApq TOxVrSZWmlI4RnUO5HU8oQjhMJpWfCmtGlsUowToeGeRFRjAi9iddxhDkK1A2iYvdBqY oSWg== X-Gm-Message-State: AOJu0YyTkebL9dzJ8NHhl5uwRk4iVVrc0QyOxY5DGcjBmtJcZfnyOC+K mwLrwPrPa4BN5xyPO1GDgur39hHHMQ27RN6skbfM4yG3CxJALOhADkJu94tYewBvEFg= X-Gm-Gg: ASbGncvZDmtlxTd9tjjNyJzmCoBUKlIP6fEiVq1JBG4CkqreevBOtWy3II7LASLUqYH oM7KFgYnVwljWKqsltm70UYmkQFKJPrzZ04OINmX2JmCYOkWhf0LpbzMrOMRakUPOGBZhtsuVnK pzIHOqwt4GVn8/vktKr/59iv8KZczb96lBaO/S2FLAjAcQSgxH5D5tEUWcOqjDyfObMAsH3sdhi 28TT956mB/aS7QYNHinthNC0GzAkFFw8DwE/MKHWkpGbNZG7atkwlPEtYM4h0pg26E4x6jcnXgn h3AuaWp/UpDcCm08URWU1yhjbR42hqsaM+jW7BIpS4MgVo8Pkf6hoFgnCpBphm8jX2Cgxntezqy NU7Ji3R4ooB3jEceRMAVHN2qpN9+wx6l5zfo6xTA/uLQKxOdn6FpOb1rra7j7WLa5ULYrsc9OXs WtpehKX93HMNpU3WL3N5H6uKikOrL1cSAQATxNbEAW X-Google-Smtp-Source: AGHT+IEZ93AUS10KsmaLuRoacNiRscGq0P31/97gECpMMR+yO1M/YTUtnFn5PKeEnokWTfhY4zu65w== X-Received: by 2002:a17:907:6d06:b0:b70:7cd8:9098 with SMTP id a640c23a62f3a-b7ce858303fmr242651566b.61.1765372209371; Wed, 10 Dec 2025 05:10:09 -0800 (PST) Received: from laurenz.albe-K4N0CV00F97414D ([88.116.133.170]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b79f4498797sm1685435866b.19.2025.12.10.05.10.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Dec 2025 05:10:09 -0800 (PST) Message-ID: <8536f893e79693bd0a23d4cea7dbe0b6366378df.camel@cybertec.at> Subject: Re: database specific pg_read_all_data / pg_write_all_data From: Laurenz Albe To: richard coleman Cc: Pgsql-admin Date: Wed, 10 Dec 2025 14:10:03 +0100 In-Reply-To: References: <72acf8ae4e56886081b9f632569f290d3246c33b.camel@cybertec.at> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-2.fc42) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, 2025-12-10 at 08:06 -0500, richard coleman wrote: > Multiple clusters would be nice, but we don't have the available servers = to accomodate that. You can run many clusters on a single server... > Without the pg_read_all_data role there is apparently no other way in=C2= =A0 PostgreSQL to > automatically assign these privs to each and every table/view that exists= or will be > created without using the nuclear option and granting super user privs. > Unless there is something else that I am missing which could be used when= creating your > suggested "readonly_dbname" role.=C2=A0 Yes, and that is ALTER DEFAULT PRIVILEGES. > It's a shame that PostgreSQL has created some extremely useful built in r= oles, but then > limits them such that they can only be utilized for vanishingly few actua= l use cases. >=20 > Hopefully the PostgreSQL devs revisit these built in roles with a thought= toward making > database specific ones assignable=C2=A0 with a mechanism like: >=20 > grant=C2=A0pg_read_all_data=C2=A0on database=C2=A0foo=C2=A0to=C2=A0user_r= ole; Frankly, I think that "pg_read_all_data" is ugly and should never have been= added. Yours, Laurenz Albe