pg_monitor role description

On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:

"This role is a member of pg_read_all_settings, pg_read_all_stats and
pg_stat_scan_tables."
Is it correct sentence?
It seems for me that pg_read_all_stats is a member of pg_monitor. But not
vice versa.

Here is what I am getting:
=# \dgS pg_monitor
List of roles
Role name | Attributes | Member of
------------+--------------+--------------------------------------------------------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}

=# \dgS pg_read_all_data
List of roles

Role name | Attributes | Member of
------------------+--------------+-----------
pg_read_all_data | Cannot login | {}

So the docs look correct to me.
--
Michael

On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote:

On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:

"This role is a member of pg_read_all_settings, pg_read_all_stats and
pg_stat_scan_tables."
Is it correct sentence?
It seems for me that pg_read_all_stats is a member of pg_monitor. But not
vice versa.

Here is what I am getting:
=# \dgS pg_monitor
List of roles
Role name | Attributes | Member of
------------+--------------+--------------------------------------------------------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}

=# \dgS pg_read_all_data
List of roles

Role name | Attributes | Member of
------------------+--------------+-----------
pg_read_all_data | Cannot login | {}

So the docs look correct to me.

Indeed. In other words pg_monitor is the sum of the authorizations
given by all those roles.

On 20.05.2021 11:54, Julien Rouhaud wrote:

On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote:

On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:

"This role is a member of pg_read_all_settings, pg_read_all_stats and
pg_stat_scan_tables."
Is it correct sentence?
It seems for me that pg_read_all_stats is a member of pg_monitor. But not
vice versa.

Here is what I am getting:
=# \dgS pg_monitor
List of roles
Role name | Attributes | Member of
------------+--------------+--------------------------------------------------------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}

=# \dgS pg_read_all_data
List of roles

Role name | Attributes | Member of
------------------+--------------+-----------
pg_read_all_data | Cannot login | {}

So the docs look correct to me.

Indeed. In other words pg_monitor is the sum of the authorizations
given by all those roles.

Let me try one more time.
What is correct from the English language point of view:

1. Julien Rouhaud is a member of PostgreSQL Community.

or

2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier.

Or both forms are correct?

I think that 1 is correct. And column header in a \du output must be something like 'members' instead of 'member of'.

--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
The Russian Postgres Company

Pavel Luzanov <p.luzanov@postgrespro.ru> writes:

Let me try one more time.
What is correct from the English language point of view:
1. Julien Rouhaud is a member of PostgreSQL Community.
or
2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier.
Or both forms are correct?
I think that 1 is correct.

You're right about that ...

And column header in a \du output must be something like 'members' instead of 'member of'.

... but this does not follow, because it's a poor analogy. "Member of"
means "these role(s) have been GRANT'ed to pg_monitor".

As a more typical use-case, there might be a role "sysadmins" that holds
assorted privileges, and then certain individual users are granted that
role. Nobody would quibble with seeing

List of roles
Role name | Attributes | Member of
-----------+--------------+-------------
bob | | {sysadmins}
joe | | {sysadmins}
sysadmins | Cannot login | {}

and I think most would agree that titling the column "Members" would
be backwards.

regards, tom lane

On Thu, 2021-05-20 at 12:03 -0400, Tom Lane wrote:

List of roles
Role name | Attributes | Member of
-----------+--------------+-------------
bob | | {sysadmins}
joe | | {sysadmins}
sysadmins | Cannot login | {}

and I think most would agree that titling the column "Members" would
be backwards.

Right. you have to read that like:

Role name (bob) with attributes () is a member of (sysadmins).

Yours,
Laurenz Albe

Hello,

On 20.05.2021 19:03, Tom Lane wrote:

Pavel Luzanov <p.luzanov@postgrespro.ru> writes:

Let me try one more time.
What is correct from the English language point of view:
1. Julien Rouhaud is a member of PostgreSQL Community.
or
2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier.
Or both forms are correct?
I think that 1 is correct.

You're right about that ...

So, is it correct to change description of pg_monitor role from:

"Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|."

to

"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role."

I can prepare a simple patch.

And column header in a \du output must be something like 'members' instead of 'member of'.

... but this does not follow, because it's a poor analogy. "Member of"
means "these role(s) have been GRANT'ed to pg_monitor".

Yes, I understood this point and agree.

--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
The Russian Postgres Company

Hello,

On 20.05.2021 20:27, Pavel Luzanov wrote:

So, is it correct to change description of pg_monitor role from:
"Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|."
to
"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role."

I can prepare a simple patch.

Just in case, patch attached.

--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
The Russian Postgres Company

Pavel Luzanov <p.luzanov@postgrespro.ru> writes:

So, is it correct to change description of pg_monitor role from:
"Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|."
to
"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role."

No, it is not. That wording implies that the built-in grants are like

GRANT pg_monitor TO pg_read_all_settings

and so on, where the truth is the opposite.

regards, tom lane

On 20.05.2021 21:10, Tom Lane wrote:

Pavel Luzanov <p.luzanov@postgrespro.ru> writes:

So, is it correct to change description of pg_monitor role from:
"Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|."
to
"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role."

No, it is not. That wording implies that the built-in grants are like

GRANT pg_monitor TO pg_read_all_settings

and so on, where the truth is the opposite.

I'm totally confused. I'm taking timeout to think about it.

--

Pavel Luzanov
Postgres Professional: https://postgrespro.com
The Russian Postgres Company

On 20.05.2021 21:25, Pavel Luzanov wrote:

I'm totally confused. I'm taking timeout to think about it.

I got it! It wasn't my day.))

This wording worked for me:

The pg_monitor role is a member of the pg_read_all_settings role, which allows its privileges to be used. Therefore, pg_monitor can get the value of any configuration parameter.

Thanks for clarifying.

--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
The Russian Postgres Company