Re: pg_cancel_backend by non-superuser

Noah Misch <noah@leadboat.com> writes:
> On Sun, Oct 02, 2011 at 06:55:51AM -0400, Robert Haas wrote:
>> On Sat, Oct 1, 2011 at 10:11 PM, Euler Taveira de Oliveira
>> <euler@timbira.com> wrote:
>>> I see. What about passing this decision to DBA? I mean a GUC
>>> can_cancel_session = user, dbowner (default is '' -- only superuser). You
>>> can select one or both options. This GUC can only be changed by superuser.

>> Or how about making it a grantable database-level privilege?

> I think either is overkill.  You can implement any policy by interposing a
> SECURITY DEFINER wrapper around pg_cancel_backend().

I'm with Noah on this.  If allowing same-user cancels is enough to solve
95% or 99% of the real-world use cases, let's just do that.  There's no
very good reason to suppose that a GUC or some more ad-hoc privileges
will solve a large enough fraction of the rest of the cases to be worth
their maintenance effort.  In particular, I think both of the above
proposals assume way too much about the DBA's specific administrative
requirements.
        regards, tom lane