Reduced privileges for human users until elevation requested #2980
Description
Please, answer some short questions which should help us to understand your problem / question better?
- Which image of the operator are you using? ghcr.io/zalando/postgres-operator:v1.14.0
- Where do you run it - cloud or metal? Kubernetes or OpenShift? GCP
- Are you running Postgres Operator in production? On an experimental basis
- Type of issue? Bug report / discussion
We are setting up access for human users to our databases, using the Teams API to create users.
We were looking for a way to make it so that human users have only read access when first connecting to the database, but can use GRANT ROLE or SET ROLE to give themselves more access if needed.
We use the defaultRoles/defaultUsers on preparedDatabases, so by default the human users are given admin, which has access to owner-roles, given them full access to everything.
Looking at the documentation, we thought maybe setting team_admin_role to the reader role would give us what we needed, but then they can't elevate themselves. Our understanding of the enable_admin_role_for_users was that this should be possible, but it doesn't seem to work that way.
Is what we want to do possible somehow?
Is our understanding of enable_admin_role_for_users wrong, or is there a bug when that option is used for the defaultRoles created for preparedDatabases?
We are wondering if the hardcoding of admin in initPreparedDatabaseRoles is a bug, or intentional?