public inbox for [email protected]help / color / mirror / Atom feed
pg_monitor role description 11+ messages / 6 participants [nested] [flat]
* pg_monitor role description @ 2021-05-20 06:11 PG Doc comments form <[email protected]> 0 siblings, 1 reply; 11+ messages in thread From: PG Doc comments form @ 2021-05-20 06:11 UTC (permalink / raw) To: [email protected]; +Cc: [email protected] The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/13/default-roles.html Description: "This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables." Is it correct sentence? It seems for me that pg_read_all_stats is a member of pg_monitor. But not vice versa. ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 07:00 Michael Paquier <[email protected]> parent: PG Doc comments form <[email protected]> 0 siblings, 1 reply; 11+ messages in thread From: Michael Paquier @ 2021-05-20 07:00 UTC (permalink / raw) To: [email protected]; [email protected] On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote: > "This role is a member of pg_read_all_settings, pg_read_all_stats and > pg_stat_scan_tables." > Is it correct sentence? > It seems for me that pg_read_all_stats is a member of pg_monitor. But not > vice versa. Here is what I am getting: =# \dgS pg_monitor List of roles Role name | Attributes | Member of ------------+--------------+-------------------------------------------------------------- pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} =# \dgS pg_read_all_data List of roles Role name | Attributes | Member of ------------------+--------------+----------- pg_read_all_data | Cannot login | {} So the docs look correct to me. -- Michael Attachments: [application/pgp-signature] signature.asc (833B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 08:54 Julien Rouhaud <[email protected]> parent: Michael Paquier <[email protected]> 0 siblings, 1 reply; 11+ messages in thread From: Julien Rouhaud @ 2021-05-20 08:54 UTC (permalink / raw) To: Michael Paquier <[email protected]>; +Cc: [email protected]; [email protected] On Thu, May 20, 2021 at 3:01 PM Michael Paquier <[email protected]> wrote: > > On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote: > > "This role is a member of pg_read_all_settings, pg_read_all_stats and > > pg_stat_scan_tables." > > Is it correct sentence? > > It seems for me that pg_read_all_stats is a member of pg_monitor. But not > > vice versa. > > Here is what I am getting: > =# \dgS pg_monitor > List of roles > Role name | Attributes | Member of > ------------+--------------+-------------------------------------------------------------- > pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} > > =# \dgS pg_read_all_data > List of roles > > Role name | Attributes | Member of > ------------------+--------------+----------- > pg_read_all_data | Cannot login | {} > > So the docs look correct to me. Indeed. In other words pg_monitor is the sum of the authorizations given by all those roles. ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 12:44 Pavel Luzanov <[email protected]> parent: Julien Rouhaud <[email protected]> 0 siblings, 1 reply; 11+ messages in thread From: Pavel Luzanov @ 2021-05-20 12:44 UTC (permalink / raw) To: Julien Rouhaud <[email protected]>; Michael Paquier <[email protected]>; +Cc: [email protected]; [email protected] On 20.05.2021 11:54, Julien Rouhaud wrote: > On Thu, May 20, 2021 at 3:01 PM Michael Paquier <[email protected]> wrote: >> On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote: >>> "This role is a member of pg_read_all_settings, pg_read_all_stats and >>> pg_stat_scan_tables." >>> Is it correct sentence? >>> It seems for me that pg_read_all_stats is a member of pg_monitor. But not >>> vice versa. >> Here is what I am getting: >> =# \dgS pg_monitor >> List of roles >> Role name | Attributes | Member of >> ------------+--------------+-------------------------------------------------------------- >> pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} >> >> =# \dgS pg_read_all_data >> List of roles >> >> Role name | Attributes | Member of >> ------------------+--------------+----------- >> pg_read_all_data | Cannot login | {} >> >> So the docs look correct to me. > Indeed. In other words pg_monitor is the sum of the authorizations > given by all those roles. Let me try one more time. What is correct from the English language point of view: 1. Julien Rouhaud is a member of PostgreSQL Community. or 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. Or both forms are correct? I think that 1 is correct. And column header in a \du output must be something like 'members' instead of 'member of'. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 16:03 Tom Lane <[email protected]> parent: Pavel Luzanov <[email protected]> 0 siblings, 2 replies; 11+ messages in thread From: Tom Lane @ 2021-05-20 16:03 UTC (permalink / raw) To: Pavel Luzanov <[email protected]>; +Cc: Julien Rouhaud <[email protected]>; Michael Paquier <[email protected]>; [email protected]; [email protected] Pavel Luzanov <[email protected]> writes: > Let me try one more time. > What is correct from the English language point of view: > 1. Julien Rouhaud is a member of PostgreSQL Community. > or > 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. > Or both forms are correct? > I think that 1 is correct. You're right about that ... > And column header in a \du output must be something like 'members' instead of 'member of'. ... but this does not follow, because it's a poor analogy. "Member of" means "these role(s) have been GRANT'ed to pg_monitor". As a more typical use-case, there might be a role "sysadmins" that holds assorted privileges, and then certain individual users are granted that role. Nobody would quibble with seeing List of roles Role name | Attributes | Member of -----------+--------------+------------- bob | | {sysadmins} joe | | {sysadmins} sysadmins | Cannot login | {} and I think most would agree that titling the column "Members" would be backwards. regards, tom lane ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 16:16 Laurenz Albe <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 0 replies; 11+ messages in thread From: Laurenz Albe @ 2021-05-20 16:16 UTC (permalink / raw) To: Tom Lane <[email protected]>; Pavel Luzanov <[email protected]>; +Cc: Julien Rouhaud <[email protected]>; Michael Paquier <[email protected]>; [email protected]; [email protected] On Thu, 2021-05-20 at 12:03 -0400, Tom Lane wrote: > List of roles > Role name | Attributes | Member of > -----------+--------------+------------- > bob | | {sysadmins} > joe | | {sysadmins} > sysadmins | Cannot login | {} > > and I think most would agree that titling the column "Members" would > be backwards. Right. you have to read that like: Role name (bob) with attributes () is a member of (sysadmins). Yours, Laurenz Albe ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 17:27 Pavel Luzanov <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 2 replies; 11+ messages in thread From: Pavel Luzanov @ 2021-05-20 17:27 UTC (permalink / raw) To: [email protected] Hello, On 20.05.2021 19:03, Tom Lane wrote: > Pavel Luzanov <[email protected]> writes: >> Let me try one more time. >> What is correct from the English language point of view: >> 1. Julien Rouhaud is a member of PostgreSQL Community. >> or >> 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. >> Or both forms are correct? >> I think that 1 is correct. > You're right about that ... So, is it correct to change description of pg_monitor role from: "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." to "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." I can prepare a simple patch. >> And column header in a \du output must be something like 'members' instead of 'member of'. > ... but this does not follow, because it's a poor analogy. "Member of" > means "these role(s) have been GRANT'ed to pg_monitor". Yes, I understood this point and agree. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 18:00 Pavel Luzanov <[email protected]> parent: Pavel Luzanov <[email protected]> 1 sibling, 0 replies; 11+ messages in thread From: Pavel Luzanov @ 2021-05-20 18:00 UTC (permalink / raw) To: [email protected] Hello, On 20.05.2021 20:27, Pavel Luzanov wrote: > So, is it correct to change description of pg_monitor role from: > "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." > to > "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." > > I can prepare a simple patch. Just in case, patch attached. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company Attachments: [text/x-patch] doc-pg_monitor.patch (773B, 3-doc-pg_monitor.patch) download | inline diff: diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index fe0bdb7599..00338bbebd 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -554,9 +554,9 @@ DROP ROLE doomed_role; <row> <entry>pg_monitor</entry> <entry>Read/execute various monitoring views and functions. - This role is a member of <literal>pg_read_all_settings</literal>, - <literal>pg_read_all_stats</literal> and - <literal>pg_stat_scan_tables</literal>.</entry> + The roles <literal>pg_read_all_settings</literal>, + <literal>pg_read_all_stats</literal> and <literal>pg_stat_scan_tables</literal> + are members of this role.</entry> </row> <row> <entry>pg_database_owner</entry> ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 18:10 Tom Lane <[email protected]> parent: Pavel Luzanov <[email protected]> 1 sibling, 1 reply; 11+ messages in thread From: Tom Lane @ 2021-05-20 18:10 UTC (permalink / raw) To: Pavel Luzanov <[email protected]>; +Cc: [email protected] Pavel Luzanov <[email protected]> writes: > So, is it correct to change description of pg_monitor role from: > "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." > to > "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." No, it is not. That wording implies that the built-in grants are like GRANT pg_monitor TO pg_read_all_settings and so on, where the truth is the opposite. regards, tom lane ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-20 18:25 Pavel Luzanov <[email protected]> parent: Tom Lane <[email protected]> 0 siblings, 1 reply; 11+ messages in thread From: Pavel Luzanov @ 2021-05-20 18:25 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: [email protected] On 20.05.2021 21:10, Tom Lane wrote: > Pavel Luzanov <[email protected]> writes: >> So, is it correct to change description of pg_monitor role from: >> "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." >> to >> "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." > No, it is not. That wording implies that the built-in grants are like > > GRANT pg_monitor TO pg_read_all_settings > > and so on, where the truth is the opposite. I'm totally confused. I'm taking timeout to think about it. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company ^ permalink raw reply [nested|flat] 11+ messages in thread
* Re: pg_monitor role description @ 2021-05-22 20:27 Pavel Luzanov <[email protected]> parent: Pavel Luzanov <[email protected]> 0 siblings, 0 replies; 11+ messages in thread From: Pavel Luzanov @ 2021-05-22 20:27 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: [email protected] On 20.05.2021 21:25, Pavel Luzanov wrote: > I'm totally confused. I'm taking timeout to think about it. I got it! It wasn't my day.)) This wording worked for me: The pg_monitor role is a member of the pg_read_all_settings role, which allows its privileges to be used. Therefore, pg_monitor can get the value of any configuration parameter. Thanks for clarifying. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company ^ permalink raw reply [nested|flat] 11+ messages in thread
end of thread, other threads:[~2021-05-22 20:27 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2021-05-20 06:11 pg_monitor role description PG Doc comments form <[email protected]> 2021-05-20 07:00 ` Michael Paquier <[email protected]> 2021-05-20 08:54 ` Julien Rouhaud <[email protected]> 2021-05-20 12:44 ` Pavel Luzanov <[email protected]> 2021-05-20 16:03 ` Tom Lane <[email protected]> 2021-05-20 16:16 ` Laurenz Albe <[email protected]> 2021-05-20 17:27 ` Pavel Luzanov <[email protected]> 2021-05-20 18:00 ` Pavel Luzanov <[email protected]> 2021-05-20 18:10 ` Tom Lane <[email protected]> 2021-05-20 18:25 ` Pavel Luzanov <[email protected]> 2021-05-22 20:27 ` Pavel Luzanov <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox