From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Chris Farmiloe <chrisfarms(at)gmail(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: ASYNC Privileges proposal |
Date: | 2013-05-20 02:23:07 |
Message-ID: | 13601.1369016587@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Chris Farmiloe <chrisfarms(at)gmail(dot)com> writes:
> I find the current LISTEN / NOTIFY rather limited in the context of
> databases with multiple roles. As it stands it is not possible to restrict
> the use of LISTEN or NOTIFY to specific roles, and therefore notifications
> (and their payloads) cannot really be trusted as coming from any particular
> source.
TBH, nobody has complained about this in the fifteen-plus years that
LISTEN has been around. I'm dubious about adding privilege-checking
overhead for everybody to satisfy a complaint from one person.
> I'd like to propose a new ASYNC database privilege that would control
> whether a role can use LISTEN, NOTIFY and UNLISTEN statements and the
> associated pg_notify function.
... and if I did think that there were an issue here, I doubt I'd think
that a privilege as coarse-grained as that would fix it. Surely you'd
want per-channel privileges if you were feeling paranoid about this,
not to mention separate read and write privileges. But the demand for
that just isn't out there.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Chris Farmiloe | 2013-05-20 02:35:50 | Re: ASYNC Privileges proposal |
Previous Message | Chris Farmiloe | 2013-05-20 01:54:25 | ASYNC Privileges proposal |