On Fri, 20 Mar 2026 at 13:33, Greg Sabino Mullane <[email protected]> wrote: > I'm a +1 to the cluster-wide change, and a -1 to the per-connection idea that > started this thread, because I still don't see the need for it when we have > an existing roles/permissions system that gets the job done. You want your > untrusted agent to read from your database? Create a specific role for that. > If our existing per-role access controls are not sufficient, improve them.
I think they are insufficient for two reasons: 1. Afaik there's no simple way to take an existing role and create a new role from it that only has the read permissions of the original role. Especially if you want those permissions to stay in sync between the roles. 2. The user that would want to do this, often lacks the create role permissions. So you effectively need admin access to the server to downgrade your permissions to read only. I think the best way to address this thread is to have a way to "lock" settings down, like discussed in this thread[1]. Then a user could simply run the sql to lock down the transaction_read_only and get a read-only connection that it could give to the LLM. [1]: https://www.postgresql.org/message-id/flat/CACA6kxh4MfRCHuY%2BuC2ZvXRQUP63LqumNtxtLsDF-mJswAJR5w%40mail.gmail.com
