Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1s5JKl-004dc9-Tp
	for pgsql-general@arkaria.postgresql.org; Fri, 10 May 2024 06:02:19 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1s5JJj-00Cg2S-J3
	for pgsql-general@arkaria.postgresql.org; Fri, 10 May 2024 06:01:15 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <loknath.73@gmail.com>)
	id 1s5JJj-00Cg2J-5a
	for pgsql-general@lists.postgresql.org; Fri, 10 May 2024 06:01:15 +0000
Received: from mail-yw1-x112f.google.com ([2607:f8b0:4864:20::112f])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <loknath.73@gmail.com>)
	id 1s5JJh-000I7V-0J
	for pgsql-general@lists.postgresql.org; Fri, 10 May 2024 06:01:14 +0000
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-6206ed9d3d5so3311487b3.1
        for <pgsql-general@lists.postgresql.org>; Thu, 09 May 2024 23:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1715320872; x=1715925672; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=lNEvN8QPMIncRzL/njiW2PvEgYYnaONqrGQXQ8YFw0g=;
        b=K/YvVju9FXiFjLBCIQMaM3ohO5BaK0iL7CLudBKCzD/fcV3uk3zTvNTqf1CA34+per
         auuZy/H/vrC5HMiS3IQAwItKaZa0QwhnusOSzSWOdXtpUQljxb69QgdA3J/aXrpaOxWc
         tsA2f7YyG556pgoFtfdwwLKMApuuKYBE6+2SRve8c/NbxAhBAM3cGkFZVzYKNbuT6/hA
         0DzEu81oM+JQbDG7j1hQsKx9J2olLokO7/+CFpJkMCo3U5hRR6/qIkD7LUW/iBdKDt1Z
         LePT9pwBPi7lk/a7pZ37O5bB6b4JBAIvuN3ZndBU2eMahVRwK9D9tLEPrhc6LPdNBYIg
         Qp3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715320872; x=1715925672;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lNEvN8QPMIncRzL/njiW2PvEgYYnaONqrGQXQ8YFw0g=;
        b=ZO6RtkjmDE760Dv7esJvhgyDq/tyKWxQL3Qs3rYWzD4kocRaRI9FEaBVTvF/I8Llml
         AsaDokSFI+ymE7Wy6rtXNHIqQtu6H6YGnB9SmSRSvyBp5Da0gh0e2frK40ZDBiOFweTx
         Gom/F+6VDa0jhLxLr9t7lQTX5cyN0YyiEJnIjgee3AP1ziNIKKgoiwVIUfENhoXBr4sD
         b/z3uFYLQwm4WT34fbs4YB1xs829jHqVJjTevZV2uFJgBvs9WI8s66YQvPCqfnNvdc0n
         e2KlTRGLMJfr9NrxsLbA4BCE2xayPC8m88pKXCkjfav7gk8YaItT/COCo9LnYgH4hS0I
         PsHA==
X-Gm-Message-State: AOJu0YzPKo8nHOzyEFeedF59G+uHGPjeCC1HzImsBr4nYrWUjmGkjbI6
	JFkJ8bPEX6XeCpL9U3y7QKpJPJF0eEg5t/gDShO0+dIDs4DOhdpYM8n3xSF7GNa08/N4LntiAHN
	8hTo+0tk6YyLcbe2oWfSL2YoOgAg=
X-Google-Smtp-Source: AGHT+IEbSbuyscmT/fAvQQE0jr1QKlAMU7gNiex0jLSyW+YgSyX6kZWg6tip6eYTcSo+IFJ5DZBg4+H2cKnLX65C820=
X-Received: by 2002:a05:690c:6c13:b0:620:50e0:1124 with SMTP id
 00721157ae682-622affcdec3mr15708077b3.3.1715320872112; Thu, 09 May 2024
 23:01:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAEzWdqdtbWCcSFgPAwsXPA2+6k2j0xud3mWbM=LktKp4y-ETgg@mail.gmail.com>
In-Reply-To: <CAEzWdqdtbWCcSFgPAwsXPA2+6k2j0xud3mWbM=LktKp4y-ETgg@mail.gmail.com>
From: Lok P <loknath.73@gmail.com>
Date: Fri, 10 May 2024 11:31:00 +0530
Message-ID: <CAKna9VY1+05VziBGD64SJeHGO-FPZc861z13C=JibfG2c+t_bQ@mail.gmail.com>
Subject: Re: Question on roles and privileges
To: yudhi s <learnerdatabase99@gmail.com>
Cc: pgsql-general <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000421d79061813439f"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKna9VY1%2B05VziBGD64SJeHGO-FPZc861z13C%3DJibfG2c%2Bt_bQ%40mail.gmail.com>
Precedence: bulk

--000000000000421d79061813439f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

For the initial installation the extensions may need superuser privileges.

On Fri, May 10, 2024 at 10:04=E2=80=AFAM yudhi s <learnerdatabase99@gmail.c=
om>
wrote:

> Hello All,
> We want to make sure to keep minimal privileges for the users based on
> their roles and responsibility. We have one user group who will be workin=
g
> on analyzing/debugging into performance issues in the databases. Basicall=
y
> this group will be operating on extensions like apg_plan_management,
> pg_hint_plan, auto_explain, plprofiler, pg_repack. So these extensions wi=
ll
> already be installed for the group, but they will just need to use those
> appropriately. For example pg_hint_plan will not need any write privilege
> because the user just has to put the hint in the query and run it to see
> any performance variation.
>
> So like that , what kind of minimal privileges will each of these
> extensions need to make them work for this performance group? Basically i=
f
> any of these will need write privilege or all works can be performed usin=
g
> Readonly roles/privilege only?
>
> And I understand pg_monitor role wraps up most of the key read only
> privileges within it to work on performance issues and also its a readonl=
y
> privilege only. So I wanted to know from experts here , if it's true and
> pg_monitor role will suffice for all the above work?
>
> Regards
> Yudhi
>

--000000000000421d79061813439f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">For the initial installation the extensions may need super=
user privileges.</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Fri, May 10, 2024 at 10:04=E2=80=AFAM yudhi s &lt;<a hre=
f=3D"mailto:learnerdatabase99@gmail.com">learnerdatabase99@gmail.com</a>&gt=
; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px=
 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div di=
r=3D"ltr">Hello All,<div>We want to make sure to keep minimal privileges fo=
r the users based on their roles and responsibility. We have one user group=
 who will be working on analyzing/debugging into performance issues in the =
databases. Basically this group will be operating on extensions like apg_pl=
an_management, pg_hint_plan, auto_explain, plprofiler, pg_repack. So these =
extensions will already be installed for the group, but they will just need=
 to use those appropriately. For example pg_hint_plan will not need any wri=
te privilege because the user just has to put the hint in the query and run=
 it to see any performance variation.<br><br>So like that , what kind of mi=
nimal privileges will each of these extensions need to make them work for t=
his performance group? Basically if any of these will need write privilege =
or all works can be performed using Readonly roles/privilege only?</div><di=
v><br>And I understand pg_monitor role wraps up most of the key read only p=
rivileges within it to work on performance issues and also its a readonly p=
rivilege only. So I wanted to know from experts here , if it&#39;s true and=
 pg_monitor role will suffice for all the above work?<br><div><br></div><di=
v>Regards</div><div>Yudhi</div></div></div>
</blockquote></div>

--000000000000421d79061813439f--