Haas: Surviving Without A Superuser - Part One

PostgreSQL developer Robert Haas has beguna blog series on what would be needed to allow database administratorsto safely delegate superuser powers.

Consider, for example, the case of a service provider who wouldlike to support a database with multiple customers as tenants. Thecustomers will naturally want to feel as if they have the powers ofa true superuser, with the ability to do things like create newroles, drop old ones, change permissions on objects that they don'town, and generally enjoy the freedom to bypass permission checks atthe SQL level which superusers enjoy. The service provider, who isthe true superuser, also wants this, but does not want thecustomers to be able to do the really scary things that a superusercan do, like changing archive_command torm -rf / or deleting the entire contents of pg_proc so that the system crashes and thedatabase in which the operation was performed is permanentlyruined.