Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sokZi-00DY2e-1e for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 14:13:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sokZg-009Kqd-LX for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 14:13:32 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with utf8esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sokZg-009Kp5-6S for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 14:13:32 +0000 Received: from outbound.visena.net ([46.226.12.34]) by magus.postgresql.org with utf8esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sokZb-000pW1-L7 for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 14:13:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=visena.com; s=20141101.wh; h=Content-Type:MIME-Version:Subject:References:In-Reply-To: Message-ID:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description; bh=hJRI9SV7fBWiJ0sqDioNr9HWcwfr/0NptjucG/EkFj8=; b=pZe28rvOGeFKkJnL4+JlYLJn2D eXP1leGouoyZPIW0hQ+S0d1m4Ac8qvUhGf7WIOpyFjH9wSYyQwy3Inqg62bvKANSTw8N/uVsxVC0s TMsvrFCdO6oV5QkgvFjwJfzAk75416veXSZGKN02UV/qwtsz9YGR6cEBvaVRRhNBWg8U=; Received: from batch01.services.internal.visena.net ([10.3.0.103]) by outbound.visena.net with utf8esmtp (Exim 4.93) (envelope-from ) id 1sokZb-002Ukw-22; Thu, 12 Sep 2024 16:13:27 +0200 Date: Thu, 12 Sep 2024 16:13:26 +0200 (CEST) From: Andreas Joseph Krogh To: Christophe Pettus Cc: Tom Lane , pgsql-general , Greg Sabino Mullane Message-ID: In-Reply-To: <97788FFC-9F3D-43EC-BC76-AD695250C11A@thebuild.com> References: <3952715.1726115805@sss.pgh.pa.us> <97788FFC-9F3D-43EC-BC76-AD695250C11A@thebuild.com> Subject: Re: Effects of REVOKE SELECT ON ALL TABLES IN SCHEMA pg_catalog FROM PUBLIC MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_64304_1288693006.1726150406971" X-Mailer: Visena Mail 3.2.747 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ------=_Part_64304_1288693006.1726150406971 Content-Type: multipart/related; boundary="----=_Part_64305_336778717.1726150406971" ------=_Part_64305_336778717.1726150406971 Content-Type: multipart/alternative; boundary="----=_Part_64306_2130668080.1726150406992" ------=_Part_64306_2130668080.1726150406992 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable P=C3=A5 torsdag 12. september 2024 kl. 16:10:26, skrev Christophe Pettus < xof@thebuild.com >: > On Sep 12, 2024, at 06:58, Greg Sabino Mullane wrote= : >=20 > But if it works for you, go ahead. As Tom said, it will work 95% of the= =20 time. But it will break things that should work, and it will not prevent th= e=20 ability to get the information in other ways. To be clear, we never recomme= nd=20 messing with the system catalogs, and this falls under the umbrella of mess= ing=20 with the system catalogs. I can only echo that if the compliance people are taking a position that "y= ou=20 need to make an unsupported, ad-hoc modification to the database software's= =20 authentication system in order to meet this requirement," then the requirem= ent=20 is one that you should run, not walk, to get a waiver to, as that's a very= =20 unreasonable position for them to take. We're probably going down the postgres_fdw route, that seems to do the job. -- Andreas Joseph Krogh CTO / Partner - Visena AS Mobile: +47 909 56 963 andreas@visena.com www.visena.com ------=_Part_64306_2130668080.1726150406992 Content-Type: text/html;charset=UTF-8 Content-Transfer-Encoding: quoted-printable
P= =C3=A5 torsdag 12. september 2024 kl. 16:10:26, skrev Christophe Pettus <= ;xof@thebuild.com>:


> On Sep 12, 2024, at 06:58, Greg Sabino Mullan= e <htamfids@gmail.com> wrote:
>=C2=A0
> But if it works f= or you, go ahead. As Tom said, it will work 95% of the time. But it will br= eak things that should work, and it will not prevent the ability to get the= information in other ways. To be clear, we never recommend messing with th= e system catalogs, and this falls under the umbrella of messing with the sy= stem catalogs.

I can only echo that if the compliance people are tak= ing a position that "you need to make an unsupported, ad-hoc modificat= ion to the database software's authentication system in order to meet this = requirement," then the requirement is one that you should run, not wal= k, to get a waiver to, as that's a very unreasonable position for them to t= ake.

=C2=A0

We're probably going down the postgres_fdw route, that seems to d= o the job.

=C2=A0

--
= Andreas Jos= eph Krogh
CTO / Partner - Visena AS
Mobile: +47 909 56 963www.visena.com
3D""
=C2=A0
<= /div> ------=_Part_64306_2130668080.1726150406992-- ------=_Part_64305_336778717.1726150406971 Content-Type: image/png Content-Transfer-Encoding: base64 Content-Disposition: inline Content-ID: iVBORw0KGgoAAAANSUhEUgAAAIUAAAAYCAYAAADUIj6hAAAABHNCSVQICAgIfAhkiAAABzBJREFU aEPtmNFxHDcMhmVP3i1VECpvnjzkVIHWFfhcgVcVRKrAUgWRK/C6Al8H3lTgy0PGbzFdQc4VJP/H ADs43q6kROeJNbOYgQACIAgCWJKng4MZ5gxUGXh0U0b+SIuF9G+EWXj2Q15vbrE/NPtk9uub7Gfd t5mBx1NhqSEo8HshjbEUtlO2yIM9tsx5dZP9rPt2MzDZFAqZE4LGcFjdsg3saQaHt7fY70X949On aS+OZidDBkavD33157L4xaw2os+Mp/DAC10l2XhOCeStj0W5ajrJL8WfCi80Xgf9vVlrhg9yRONe /f7xI2vNsIcM7JwU9o6oGyJrLT8JOA1aX9sKP4wl94bAniukEbo/n7YPmuTETzIab4Y9ZWCrKexd 8M58lxPCvvD6aihfvexbEQoPYO8NQRO0JnddGO6FJYaVsBde7cXj7KRk4LsqDxQzCYeGsJNgaXZe +JXkyGgWINq3Gp+bHNILz+wEYs5qH1eJrouNrpDXtk4O6x1IvtD40GWyJYYdkF0jIbYZlN16xygI gl9smbMDsmFdfAKb23xGB8H/mv3tOJfArs1kukk79DEPdQ5u0g1vCvvqKXIW8mZYW+F3Tg4r8HvZ kQCCLydK8EFMQCe5N8RgL9mRG0SqQFuNvdE6beSs0qPDBuCdg0+gvClso8SbTO4ki7mQzQqBrcMH QPwReg2wW8umEe/+L8T/LEzBGF9nXjzZ46s+ITHvhegW8LL39xm6App7KYL/GE+vcYnFbJiP/0aY hdiCnRC7jaj7eiK2ETInC5PRF6LYkSN0+HabF75WuT6syCyI0YkVGGMvUC33AmfZTDUEj8u6IVhu EhRUJ2U2g6UlugyNb03Hl9obHwlxJbcRzcYjO4QPjVfGFTQav4vrmp7cpMp2qbHnBxWJbisbho2Q XI6C1sIHDUFhH4Hij4UbIev66eANeiwbkA+LBsO36zAHzoXU7AhbqLAXEiOYTXcSdO8VS9L4wN8U BIYhBd6oSUgYMijOkecRuTdQa/YiBXhbXFcnCnI2SrfeBG9NydrLYMhGHa5qB9pQIxlzAE6Okjzx JO5afGe6kmhBicWKQNKuTZ5EW+MjQY8v/9rQ0bhJSJyNGUe/JH1t8h1iMbdSPAvxHYin6YmN9YBX QmTYZZNh14vHhhhal5vtcIrJjmvszPRJdExH3MWHvykoBEc9CoCGWJisOLOGoCORs1FvIMbYA8z3 kwM59oemy6LlWrLxFLmWgiQAfEGd8S+NssbK+EhyGLxUkhhiy717waBqHOJYSEacwBejkFNhjJNj v/gANOdQxPfciP/JVBCK2cOIcg3RRJ+CPrLPNVhhN6F38VKMF3XLlIJrjU5C8gMFxvKDvOcPc4rV NjCn7KM0BV+161V8viSCuJZ8SITGJGEh7IUUlxOFMYUH1kJOCN4Wh+I5pqCuK01k40kSNtnKiKIl UfxAgW5sU5JlS05rtt5YFJF1SWoqHv6BRgQcA4/bdb9WRjmMk3jyUMAbIoyJq9e4cVmgzKt9j5gN J/aYDhk+hhjExwaPcz5PObA5Zd9bvz5UzCTZuZDidu5AchpiKSwPR+TV1bCWqBQ9nCjJ5neivC82 Nr4LeS2j1gw5LUqwBuhGQQU5UwHeSslXkwIynz2U2A2yKDgG7OffwLA3TpGRpk0Tzpj3ZEJXi/GR a6GN0e0NtppChePdcAz1FTS+FN8Kpxoiykk+J8fC5tenjbu9kSqpHLu9jBrhUuhNwVGbpyZrzrl0 HPVD8SXj5EOOD/eDC64VjvYBZLuUbIVAfBN1t/C/SU+cAGtdGo+fVnzycUX5wmn6eCKPmWYJG2E/ ppTsuRCbvUD9fwquksG5GqLVKhzDQ3GrEyLKSXhsiK3T5j9EyxffCFOYi2wUlPyFFDQAhehESDjQ GoX0ho0oj8RPou6TxHJdcT0NTcWkO0AnG7+uXsnHqcas/72wvWF+mSf7N/Watp9kTXoluzeS0fB9 9CcZ/hvhSZTfh99pispZOXL9KrGrARkNUMu9ITbScZWs7xOYNt9pwxSZtYDsX/GE3xTkrXgwAsXm fud08FiTeC+m2/o7ppo+PTS/NBK5ARpDG5YHr++DpmVfreYdiX8mnp+DzPEG9WbqJON0JBenZofs sxBA1gj5NXGvfJu/Qh7HwQh/VDUEyUxCit5hH94QfKkEdu+GwK8BX0hvCF+D67xhjmXQCXMwJCZ+ olK0A1EKRCE4snsh42w8Mv/Zhxw9iD7Cjo7CyQC/KyF6oBfShL4PYgG+CHsYKyZxvxZSZBAgjhIz YDz+AbfD37GtbaoSKzgGt+lKfI/GZtay6vG4VXTpPsh+IcQhOk9I7WYeP5AM3HZ9+DaSGIp9HIuu huC4pCGGx+YD2fcc5tfIAA0h/Et4/jX8zz4fWAasIf4UbR9Y6HO4d8jAnd4U0Y8ageuCB+c+H5R3 CHU2mTMwZ+B/y8DfSMBLLOYXVuEAAAAASUVORK5CYII= ------=_Part_64305_336778717.1726150406971-- ------=_Part_64304_1288693006.1726150406971--