Separate global and database key management permissions

Description

We currently have a single function, pg_tde_grant_key_management_to_role that grants permissions to all key management functions. This includes both database and global keys.

Global keys should be handled separately, a user that can manage the keys for a single database shouldn’t be able to do anything with the global key.

Potentially pg_tde_grant_* / pg_tde_revoke_*should be a separate permission too (similar to WITH GRANT OPTION)

How to document

None

How to test

None

Activity

Show:

Done

Details

Assignee

Zsolt Parragi

Reporter

Zsolt Parragi

Labels

TDE_RC

Components

Sprint

None

Fix versions

pg_tde_RC1

Priority

Medium

Parent

PG-1287 PG TDE RC

Smart Checklist

Created November 29, 2024 at 8:04 AM

Updated February 5, 2025 at 8:18 PM

Resolved February 5, 2025 at 8:18 PM

Configure