From: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com> |
---|---|
To: | Sameer Kumar <sameer(dot)kumar(at)ashnik(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | PostgreSQL General Discussion Forum <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Limiting user from changing its own attributes |
Date: | 2015-04-13 05:03:20 |
Message-ID: | 552B4E18.8080508@BlueTreble.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 4/12/15 11:55 PM, Sameer Kumar wrote:
>
> On Mon, 13 Apr 2015 11:35 Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com
> <mailto:Jim(dot)Nasby(at)bluetreble(dot)com>> wrote:
>
> On 4/11/15 4:11 PM, Sameer Kumar wrote:
> > Pg_settings currently has an upper bound column - though it is a
> > view and that value cannot be changed that I know of.
> >
> >
> > I guess that upper bound column is more of the limit that is
> imposed by
> > system which you can have for a parameter i.e. the system imposed
> limit
> > or valid range if values for a parameter. I don't think one can
> update that.
>
> Correct.
>
> > But if it could I suspect that whatever catalog you would
> change to
> > affect it would only cause a global change. There is no alter
> > database, role, or postgresql way to change that value.
> >
> > Oh ok... anyway of achieving that? There no EVENT trigger for
> "alter user"?
>
> There is not, but as David mentioned there's way more ways to modify
> settings than just ALTER ROLE. Attempting to lock that down won't help
> you at all.
>
> Unfortunately, there's no hook support for doing something special when
> GUCs change, though it might be possible to do something here via
> planner hooks. That would be pretty complicated and would need to be
> done in C.
>
> It doesn't look like SELinux would help either.
>
> So basically, there is currently no way to restrict someone changing
> GUCs, other than GUCs that are marked as superuser-only.
>
> Is there anything ecpected in any of the near future release?
No. I suspect the community would support at least a hook for GUC
changes, if not a full-on permissions system. A hook would make it
fairly easy to add event trigger support.
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com
From | Date | Subject | |
---|---|---|---|
Next Message | Sameer Kumar | 2015-04-13 05:23:42 | Re: Limiting user from changing its own attributes |
Previous Message | Sameer Kumar | 2015-04-13 04:55:28 | Re: Limiting user from changing its own attributes |