public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: yudhi s <[email protected]>
Cc: pgsql-general <[email protected]>
Subject: Re: error in trigger creation
Date: Sun, 21 Apr 2024 11:18:39 -0700
Message-ID: <CAKFQuwb7USt8kqM106D+=FV8voo6mQF93PbrHZLGkRPvyx4SOg@mail.gmail.com> (raw)
In-Reply-To: <CAEzWdqdFqVOrE1NSEd9fN7xPzbM5zBAum+WLumtE8b3dJN1CEQ@mail.gmail.com>
References: <CAEzWdqcimp5dnNOavaSkMCOKW_FVsKC2101g=dFsyjQ-9dA3uw@mail.gmail.com>
<CAKFQuwa+jpZ-pucWc92OCYcwCnj7C_POg8k=5BvbPZyL97R-Jw@mail.gmail.com>
<CAEzWdqfqr9e3OpFd5Nhqha3Ggm=+UJdWkgvo7dpAa3W99S2g5Q@mail.gmail.com>
<CAKFQuwYu8w7BMX_9xEP1t5ULT7pV-qO1Yotn1qtdMuEpWCqhFg@mail.gmail.com>
<CAEzWdqdFqVOrE1NSEd9fN7xPzbM5zBAum+WLumtE8b3dJN1CEQ@mail.gmail.com>
On Sun, Apr 21, 2024 at 11:10 AM yudhi s <[email protected]>
wrote:
>
> On Sun, Apr 21, 2024 at 7:55 PM David G. Johnston <
> [email protected]> wrote:
>
>> On Sunday, April 21, 2024, yudhi s <[email protected]> wrote:
>>
>>> On Sun, Apr 21, 2024 at 1:55 PM David G. Johnston <
>>> [email protected]> wrote:
>>>
>>>> On Sunday, April 21, 2024, yudhi s <[email protected]> wrote:
>>>>
>>>>> so that it will be able to assign the privilege, so we will be able to
>>>>> create the event trigger without need to run the event trigger script from
>>>>> super user itself?
>>>>>
>>>>
>>>> Write a security-definer function owned by superuser and grant app_user
>>>> permission to execute it.
>>>>
>>>> David J.
>>>>
>>>>
>>>
>>> Thank You David.
>>>
>>> Are you saying something like below, in which we first create the
>>> function from super user and then execute the grant? But doesn't that mean,
>>> each time we want to create a new event trigger we have to be again
>>> dependent on the "super user" to modify the security definer function?
>>>
>>
>> Dynamic SQL. See “execute” in plpgsql.
>>
>> David J.
>>
>>
>
> Even if we create the event trigger using "security definer" function
> embedding the "create event trigger" with in its body using dynamic
> sql(something as below), and in future if we need to create another event
> trigger , we need to again update the function and re-compile and for that
> , we will need it it to be compiled using user "super user", is my
> understanding correct here?
> Or
> it will just need the "super user" to create the function for the first
> time , but after that the user who has the "execute grant" given (say
> app_user) will be able to perform updates and compile to the function body?
>
> CREATE OR REPLACE FUNCTION create_event_trigger_func()
> RETURNS void
> LANGUAGE plpgsql
> SECURITY DEFINER
> AS $$
> BEGIN
> EXECUTE 'CREATE EVENT TRIGGER event_trigger_name ON schema_name ...';
> END;
> $$;
>
> GRANT EXECUTE ON FUNCTION create_event_trigger_func() TO app_user;
>
If you don't allow the caller to pass in parameters then no, you likely
gain nothing from using a security definer function. It is a tool and I
don't have enough info or desire to write the internals of said function(s)
for your need. As Tom says, it very well may be impossible to accomplish
your goal even with a security definer function. But absent a predefined
role there is no other mechanism for the owners of objects or superusers to
delegate their non-grantable abilities to ordinary users.
David J.
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: error in trigger creation
In-Reply-To: <CAKFQuwb7USt8kqM106D+=FV8voo6mQF93PbrHZLGkRPvyx4SOg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox