| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Nico Williams <nico(at)cryptonector(dot)com> |
| Cc: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Interest in a SECURITY DEFINER function current_user stack access mechanism? |
| Date: | 2017-10-18 20:43:30 |
| Message-ID: | CAKFQuwaLsT7MFOu5O0j0_sPAtdxU7H6LUEA0bfUmYGPZj1Tk4A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 18, 2017 at 1:26 PM, Nico Williams <nico(at)cryptonector(dot)com>
wrote:
> On Wed, Oct 18, 2017 at 10:15:01PM +0200, Pavel Stehule wrote:
> > there is a function session_user() already
>
> But it doesn't do this. Are you saying that I should add a
> session_user(int)?
>
>
​Regardless of the merits of the proposed feature, the function
"session_user" is SQL-defined and should not be modified or enhanced.
I could see "calling_role()" being useful - it returns the same value as
"current_role" normally and in security invoker functions while in a
security definer function it would return whatever current_role would have
returned if the function was a security invoker (i.e., the role that the
system will put back into effect once the security definer function
returns).
Introducing the concept of a stack at the SQL level here seems, at first
glance, to be over-complicating things.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2017-10-18 20:54:46 | Re: [COMMITTERS] pgsql: Fix traversal of half-frozen update chains |
| Previous Message | Andres Freund | 2017-10-18 20:30:15 | Re: [POC] Faster processing at Gather node |