Re: allowing privileges on untrusted languages

Robert Haas <robertmhaas@gmail.com> writes:
> On Fri, Jan 25, 2013 at 2:59 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
>> 2013/1/20 Tom Lane <tgl@sss.pgh.pa.us>:
>>> The traditional answer to that, which not only can be done already in
>>> all existing releases but is infinitely more flexible than any
>>> hard-wired scheme we could implement, is that you create superuser-owned
>>> security-definer functions that can execute any specific operation you
>>> want to allow, and then GRANT EXECUTE on those functions to just the
>>> people who should have it.

> This is valid, but I think that the people who want this functionality
> are less interest in avoiding bugs in trusted procedures than they are
> in avoiding the necessity for the user to have to learn the local
> admin-installed collection of trusted procedures.

Sure, but given that we are working on event triggers, surely the
correct solution is to make sure that user-provided event triggers can
cover permissions-checking requirements, rather than to invent a whole
new infrastructure that's guaranteed to never really satisfy anybody.
        regards, tom lane