ferricoxideMy search-fu is either really lacking, today, or nobody bothers to set up #PGSQL users with the _bare-minimum_ permissions necessary to successfully run
pg_dump against a specific database?Seriously. It's like half the guides I find say something equivalent to "just use the root user" and others say "create a user but GRANT them all permissions". I don't want my backup-user to have the ability to kill a production database if its credentials get stolen. So, I'd rather it have read-only permissions.
With enough search iterations, I was able to find enough references to cobble together what I needed. So, now I have my minimally-permissioned query-user.
Told the person who submitted the automation-request, "hey: I worked out creating a minimally-permissioned #PGSQL user to support this effort. I wrote it up and it's available at ".
They responded, "oh. We already have a query-user. It's ".
Curious to see if I simply re-did what they did, I fired up a permissions-query:
psql -c "SELECT * FROM information_schema.role_table_grants WHERE grantee = '';"For each. My user had 40 grants, all at just the
SELECT level. Their user had nearly 170 grants at various levels. Probably going to recommend that they go with my user since it's sufficient for the tasks they're wanting to accomplish but has significantly fewer grants associated with it (and I'm the kind of person who errs towards the "smaller permission-sets are better" #security posture).