Re: Granting SET and ALTER SYSTE privileges for GUCs

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Granting SET and ALTER SYSTE privileges for GUCs
Date: 2021-11-17 13:27:59
Message-ID: CA+TgmobP8k+MtKNgrg8dVpsiiZXeOZ1qx-cGXQuSOLkA5AWXSw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Nov 16, 2021 at 3:38 PM Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
> Your original and fairly simple set of patches used hardcoded role names
> and sets of GUCs they could update via ALTER SYSTEM. I suggested to you
> privately that a more flexible approach would be to drive this from a
> catalog table. I had in mind a table of more or less <roleid, guc_name>.
> You could prepopulate it with the roles / GUCs from your original patch
> set. I don't think it needs to be initially empty. But DBAs would be
> able to modify and extend the settings. I agree with Tom that we
> shouldn't try to cover all GUCs in the table - any GUC without an entry
> can only be updated by a superuser.

I simply can't understand the point of this. You're basically
proposing that somebody has to execute one SQL statement to make a GUC
grantable, and then a second SQL statement to actually grant access to
it. What is the value in that? It is the same person doing both
things, and the system can work out automatically what needs to be
done.

--
Robert Haas
EDB: http://www.enterprisedb.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2021-11-17 13:32:27 Re: Granting SET and ALTER SYSTE privileges for GUCs
Previous Message Robert Haas 2021-11-17 13:26:33 Re: Granting SET and ALTER SYSTE privileges for GUCs