On Wed, 2021-10-13 at 10:03 -0400, Robert Haas wrote:
> Yeah. I think we should really only use predefined roles where it's
> not practical to have people use GRANT/REVOKE.
That sounds like a good rule.
A minor complaint though: to grant on pg_backend_memory_contexts, you
need two grant statements:
grant select on pg_backend_memory_contexts to foo;
grant execute on function pg_get_backend_memory_contexts() to foo;
The second is more of an internal detail, and we don't really want
users to be relying on that undocumented function. Is there a good way
to define a view kind of like a SECURITY DEFINER function so that the
superuser would only need to issue a GRANT statement on the view?
Regards,
Jeff Davis