From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | CN <cnliou9(at)fastmail(dot)fm>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Switching roles as an replacement of connection pooling tools |
Date: | 2016-06-01 13:56:51 |
Message-ID: | 17462.1464789411@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> Would a scheme whereby you basically only get to SET ROLE one time work?
> Basically the connection layer logs in and immediately SET SESSION
> AUTHORIZATION AND SET ROLE [WITH SETTINGS?] to another role. For all
> intents and purposes the session now looks as if that role was the one that
> performed the login. However, that role is forbidden from changing its
> identity. This removes attack vectors but also means that applications
> cannot made use of finer grained grants without the main role inheriting
> all of them. I can see this being an acceptable trade-off in some/many
> uses.
> When the session is returned to a pool it can either be kept around waiting
> for another request by the same user or it would have to be closed and
> reestablished should the connection need to be freed up for another user.
Doesn't seem like this'd actually provide any useful functionality for a
connection pooler. It still has to restrict any one underlying connection
to be used by only one role. You've added more bookkeeping (because
there's a state where a connection's role is unassigned) but no
flexibility.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2016-06-01 14:15:36 | Re: Switching roles as an replacement of connection pooling tools |
Previous Message | David G. Johnston | 2016-06-01 13:45:34 | Re: Switching roles as an replacement of connection pooling tools |