public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Joshua Brindle <[email protected]>
Cc: Mark Dilger <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Jeff Davis <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Joe Conway <[email protected]>
Subject: Re: Granting SET and ALTER SYSTE privileges for GUCs
Date: Wed, 30 Mar 2022 09:26:21 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAGB+Vh7uv_-JUMWw2tO5CzgPjbY=o-7-kXv-fFQthJHGNz7t8Q@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CAGB+Vh4_UJsYHCWborm-y4CFt8gVvY_KbcNrpWcpXAk-GcwOtA@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<18A291A8-362E-4AB1-833D-66410751E401@e! nterprisedb.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CAGB+Vh7uv_-JUMWw2tO5CzgPjbY=o-7-kXv-fFQthJHGNz7t8Q@mail.gmail.com>

After sleeping on it, I have a modest proposal for simplifying
these issues.  Consider this design:

1. In the SET code path, we assume (without any catalog lookup)
that USERSET GUCs can be set.  Only for SUSET GUCs do we perform
a permissions lookup.  (ALTER SYSTEM does a lookup in both cases.)

2. Given this, the default ACL for any GUC can be empty, greatly
simplifying all these management issues.  Superusers could do what
they want anyway, so modeling an "owner's default grant" becomes
unnecessary.

What this loses is the ability to revoke public SET permissions
on USERSET GUCs.  I claim that that is not so valuable as to
justify all the complication needed to deal with it.  (If a GUC
seems to require some defenses, why is it USERSET?)  Avoiding
a permissions lookup in the default SET code path seems like
a pretty important benefit, too.  If we force that to happen
it's going to be a noticeable drag on functions with SET clauses.

			regards, tom lane





view thread (81+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Granting SET and ALTER SYSTE privileges for GUCs
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox