Re: Allow non-superuser to cancel superuser tasks.

On Fri, Apr 05, 2024 at 07:56:56AM -0500, Nathan Bossart wrote:
> On Fri, Apr 05, 2024 at 02:39:05PM +0900, Michael Paquier wrote:
>> One thing that we should definitely not do is letting any user calling
>> pg_signal_backend() know that a given PID maps to an autovacuum
>> worker. This information is hidden in pg_stat_activity. And
>> actually, doesn't the patch leak this information to all users when
>> calling pg_signal_backend with random PID numbers because of the fact
>> that SIGNAL_BACKEND_NOAUTOVACUUM exists? Any role could guess which
>> PIDs are used by an autovacuum worker because of the granularity
>> required for the error related to pg_signal_autovacuum.
>
> Hm. I hadn't considered that angle. IIUC right now they'll just get the
> generic superuser error for autovacuum workers. I don't know how concerned
> to be about users distinguishing autovacuum workers from other superuser
> backends, _but_ if roles with pg_signal_autovacuum can't even figure out
> the PIDs for the autovacuum workers, then this feature seems kind-of
> useless. Perhaps we should allow roles with privileges of
> pg_signal_autovacuum to see the autovacuum workers in pg_stat_activity.

There is pg_read_all_stats as well, so I don't see a big issue in
requiring to be a member of this role as well for the sake of what's
proposing here. I'd rather not leak any information at the end for
anybody calling pg_signal_backend without access to the stats, so
checking the backend type after the role sounds kind of a safer
long-term approach for me.
--
Michael