Re: proposal: hide application_name from other users

* Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> On 2014-01-21 20:00:51 -0500, Stephen Frost wrote:
> > * Josh Berkus (josh(at)agliodbs(dot)com) wrote:
> > > It would be really nice to be able to GRANT/REVOKE on some of these
> > > special system views ...
>
> Just define a security definer wrapper function + view, that afair works
> perfectly fine.

Yes, it does, but it *sucks* to have to create a bunch of security
definer wrapper functions, and as I think we've seen, getting those
right can also be tricky...

> > Don't know what folks think of removing those in-the-function checks in
> > favor of trusting the grant/revoke system to not allow those functions
> > to be called unless you have EXECUTE privileges on them..
>
> Well, they *do* return some information when called without superuser
> privileges. Just not all columns for all sessions. I don't think you can
> achieve that with anything in our permission system.

We'd have to address those issues somehow, certainly. The general
thrust of my thought was if we'd ever feel comfortable trusting the
GRANT/REVOKE permission system instead of places what we currently have
if(superuser()) checks or similar.

Of course, if we had RLS, we could actually support such a difference in
results based on user with that.. ;)

Thanks,

Stephen