Haas: Surviving Without A Superuser - Part One
Haas: Surviving Without A Superuser - Part One
[Development] Posted Dec 9, 2021 19:56 UTC (Thu) by corbet
PostgreSQL developer Robert Haas has begun a blog series on what would be needed to allow database administrators to safely delegate superuser powers.
Consider, for example, the case of a service provider who would like to support a database with multiple customers as tenants. The customers will naturally want to feel as if they have the powers of a true superuser, with the ability to do things like create new roles, drop old ones, change permissions on objects that they don't own, and generally enjoy the freedom to bypass permission checks at the SQL level which superusers enjoy. The service provider, who is the true superuser, also wants this, but does not want the customers to be able to do the really scary things that a superuser can do, like changing archive_command to rm -rf / or deleting the entire contents of pg_proc so that the system crashes and the database in which the operation was performed is permanently ruined.