On Mon, 2005-12-12 at 16:35 -0600, Jim C. Nasby wrote:
> On Mon, Dec 12, 2005 at 05:27:33PM -0500, Andrew Dunstan wrote:
> > >On Mon, Dec 12, 2005 at 05:00:45PM -0500, Tom Lane wrote:
> > >
> > >
> > >>"Jim C. Nasby" <jnasby@pervasive.com> writes:
> > >>
> > >>
> > >>>I'd love to see something like SUDO ALTER USER ... SUDO REINDEX ... etc.
> > >>>That would make it easy to do 'normal' work with a non-superuser
> > >>>account.
> > >>>
> > >>>
> > >>You can already do most of this with SET/RESET ROLE:
> > >>
> > >>
> > >
> > >Very cool, I didn't realize that. It would still be nice if there was a
> > >way to do it on a per-command basis (since often you just need to run
> > >one command as admin/dba/what-have-you), but I suspect adding that to
> > >the grammar would be a real PITA. Perhapse it could be added to psql
> > >though...
> >
> > If it's one command can't you wrap it in a security definer function?
>
> Sure, if it's a command you'll be using over and over. Which I guess
> some are, but it's still a pain.
> Maybe what I'm asking for will only make sense to people who use sudo...
Having a set of fine-grained permissions that you could grant to roles
could be useful.
A sudo equivalent would be a version of psql that always connected to
the database using super-user and allowed command execution based on a
regular expression. Bit of a hack to say the least.
--