Re: proposal: hide application_name from other users
| От | Andres Freund |
|---|---|
| Тема | Re: proposal: hide application_name from other users |
| Дата | |
| Msg-id | 20140122012149.GH32729@awork2.anarazel.de обсуждение исходный текст |
| Ответ на | Re: proposal: hide application_name from other users (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-hackers |
On 2014-01-21 20:18:54 -0500, Stephen Frost wrote: > > > Don't know what folks think of removing those in-the-function checks in > > > favor of trusting the grant/revoke system to not allow those functions > > > to be called unless you have EXECUTE privileges on them.. > > > > Well, they *do* return some information when called without superuser > > privileges. Just not all columns for all sessions. I don't think you can > > achieve that with anything in our permission system. > > We'd have to address those issues somehow, certainly. The general > thrust of my thought was if we'd ever feel comfortable trusting the > GRANT/REVOKE permission system instead of places what we currently have > if(superuser()) checks or similar. I think the only realistic thing is a "monitoring" capability, like we have "replication". GRANT/REVOKE doesn't even come close to being able to generically allow to grant permissions of even the moderate complexity pg_stat_get_activity() has. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
В списке pgsql-hackers по дате отправления: