From: | Kyotaro HORIGUCHI <horiguchi(dot)kyotaro(at)lab(dot)ntt(dot)co(dot)jp> |
---|---|
To: | tgl(at)sss(dot)pgh(dot)pa(dot)us |
Cc: | robertmhaas(at)gmail(dot)com, os(at)ohmu(dot)fi, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Show dropped users' backends in pg_stat_activity |
Date: | 2016-03-23 03:35:41 |
Message-ID: | 20160323.123541.203539504.horiguchi.kyotaro@lab.ntt.co.jp |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
I had the same problem and thought similar thing.
At Wed, 16 Mar 2016 11:48:10 -0400, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote in <16068(dot)1458143290(at)sss(dot)pgh(dot)pa(dot)us>
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > Gee, I would have expected the DROP to be blocked until the user
> > disconnected, like we do for DROP DATABASE.
FWTW, I agree with Robert.
> Making that race-condition-free would require some notion of a lock on
> roles, I think. Seems pretty messy compared to the amount of actual
> value obtained. There are good reasons why you can't have a backend
> running in a nonexistent database; but a backend with a nonexistent
> user OID is not really going to be a problem for anything except
> monitoring queries that fail to use left joins where appropriate.
>
> Even if we maintained some interlock for a backend's login role identity,
> I hardly think it would be practical to e.g. lock during transient SET
> ROLE or security-definer-function-call operations. So it's not like we
> can let the permissions system assume that a role OID being inquired about
> always matches a live entry in pg_authid.
Even if blocking DROPs is not perfect for all cases,
unconditionally allowing to DROP a role still doesn't seem proper
behavior, especially for replication roles. And session logins
seem to me to have enough reason to be treated differently than
disguising as another role using SET ROLE or sec-definer.
The attached patch blocks DROP ROLE for roles that own active
sessions, and on the other hand prevents a session from being
activated if the login role is concurrently dropped.
Oskari's LEFT-Join patch is still desirable.
Is this still pointless?
regards,
Attachment | Content-Type | Size |
---|---|---|
block_dropped_roles_from_login.patch | text/x-patch | 4.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Vitaly Burovoy | 2016-03-23 03:37:08 | Bug in searching path in jsonb_set when walking through JSONB array |
Previous Message | Jim Nasby | 2016-03-23 03:31:30 | Re: Improve error handling in pltcl |