On Sun, Nov 20, 2022 at 6:48 PM Bryn Llewellyn <bryn@xxxxxxxxxxxx> wrote:
I haven’t seen anything in the PG doc that warns against creating additional superusers—so I suppose that this fact tells me something. Nevertheless, I remain convinced about what I’d recommend here:
The default choice must be to allow only one superuser: the inevitable bootstrap superuser.
If you are talking about your specific setup then it isn't a recommendation, it's a policy that you are defining. Do what you've concluded is best, you are the one that will end up answering for it.
IMO, there is no good blanket recommendation to give to someone else as to how their policy should be written. Security, especially of this sort, needs to be architected. And when doing that evaluation, and drawing those conclusions, there is no reason to exclude, a priori, having multiple named superusers as part of the final policy. Especially since any policy of this requires not only discussion of PostgreSQL itself but operation systems, configuration management, etc....
David J.