| From: | Ayush Vatsa <ayushvatsa1810(at)gmail(dot)com> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Restricting Direct Access to a C Function in PostgreSQL |
| Date: | 2024-08-11 13:34:41 |
| Message-ID: | CACX+KaPzN_q9uOjcr=JzYG6EWQ7JKwev2j+ozwUNn1Kx5LX4qA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Thanks for the responses.
> I would go with the GRANT approach. Make my_func() a
SECURITY DEFINER function, and revoke access to my_func_extended() for
all other roles.
This sounds reasonable, and can be one of the options.
> Dunno how
complicated the logic in my_func() is, if that makes sense.
Actually my_func_extended already exists hence I don't want
to touch its C definition, nor wanted to duplicate the logic.
>The SPI API is not difficult, and this looks like best option
Sorry didn't understand this part, are you suggesting I can have called
my_func_extended() through SPI inside my_func(), but didnt that also
required
my_func_extended() declaration present in SQL ? And If that is present then
anyone can call my_func_extended() directly.
Regards
Ayush
AWS
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2024-08-11 13:43:47 | Re: Restricting Direct Access to a C Function in PostgreSQL |
| Previous Message | Andrew Dunstan | 2024-08-11 12:53:31 | Re: PG_TEST_EXTRA and meson |