Post Syndicated from original https://lwn.net/Articles/878206/rss

PostgreSQL developer Robert Haas has begun
a blog series on what would be needed to allow database administrators
to safely delegate superuser powers.

Consider, for example, the case of a service provider who would
like to support a database with multiple customers as tenants. The
customers will naturally want to feel as if they have the powers of
a true superuser, with the ability to do things like create new
roles, drop old ones, change permissions on objects that they don’t
own, and generally enjoy the freedom to bypass permission checks at
the SQL level which superusers enjoy. The service provider, who is
the true superuser, also wants this, but does not want the
customers to be able to do the really scary things that a superuser
can do, like changing archive_command to
rm -rf / or deleting the
entire contents of pg_proc so that the system crashes and the
database in which the operation was performed is permanently
ruined.