> adrian.klaver@aklaver.com wrote:
>
>> bryn@yugabyte.com wrote:
>>
>> Anyway, all this is moot (except in that thinking about it helps me to enrich my mental model) because the privilege
notionshere will never change.
>
> So, I want it but not really.
I’d rather say “I’d very much prefer it if I had it. But, because I don’t, I will have to write a comment essay to
explainwhat tests might show and why these outcomes that might seem worrisome at first sight can be seen, after an
exerciseof reasoning, to be harmless. I’m not a fan of that kind of essay writing. But I’ll do it if I have to.
>> Yes I have actually done this. But rigorous testing remains to be done... The point (conforming to the principle of
leastprivilege) is that sessions that connect as "client" must not be allowed to do arbitrary SQL. Rather, they should
beable to do only what has been explicitly "white-listed" in by the encapsulation provided by the API-defining
subprograms.
>
> All right that I get.
Good. I’m relieved that you haven’t (yet) spotted a flaw in my scheme.