Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNcW7-008p4h-1Q for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 19:46:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vNcW6-003goK-0E for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 19:46:30 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNcW5-003goC-2N for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 19:46:30 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNcVz-001FyP-0e for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 19:46:29 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 5AOJkKld988534; Mon, 24 Nov 2025 14:46:20 -0500 From: Tom Lane To: =?utf-8?Q?=C3=81lvaro?= Herrera cc: Laurenz Albe , Calvin Guo , pgsql-general@lists.postgresql.org Subject: Re: set role command In-reply-to: <202511241909.nudhcfkcugfl@alvherre.pgsql> References: <202511241909.nudhcfkcugfl@alvherre.pgsql> Comments: In-reply-to =?utf-8?Q?=C3=81lvaro?= Herrera message dated "Mon, 24 Nov 2025 20:21:23 +0100" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <988532.1764013580.1@sss.pgh.pa.us> Date: Mon, 24 Nov 2025 14:46:20 -0500 Message-ID: <988533.1764013580@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk =?utf-8?Q?=C3=81lvaro?= Herrera writes: > On 2025-Nov-24, Tom Lane wrote: >> I don't think so. They are just shorthand for issuing a SET to the >> original value, so how do they break the model in a way that that >> doesn't? > No, because the new user doesn't have privs to become the previous one. Don't think you can make that argument from the standard, since it explicitly disclaims saying what privs are required. > It would be more > secure to have a mechanism where the connection is initially > unauthenticated altogether (which means: it's not a valid SQL session), > becomes authenticated at the pooler's will, and returns to > unauthenticated state as the pooler decides. Critically, from > unauthenticated state you shouldn't be able to become superuser. I don't like the idea that a pooler or pretend-to-be pooler can eat up a backend session without having authenticated at all. Also, exactly what does "becomes authenticated at the pooler's will" mean? There had better be some actual authentication happening somewhere. If we tried doing that, I'd prefer that the "rest state" be validly authenticated, but it could be as a low-privilege user that can't do much of anything. However, then we'd need to have an actual authentication exchange to raise privilege to whatever you wanted to do useful work as, and that would have to be a protocol-level thing not a SQL command. I also wonder how much poolers would really want to use that, because it'd partially defeat the goal of quickly switching to different users. regards, tom lane