Re: Review of GetUserId() Usage

* Peter Eisentraut (peter_e@gmx.net) wrote:
> On 9/24/14 4:58 PM, Stephen Frost wrote:
> > * Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
> >> I think the case for pgstat_get_backend_current_activity() and
> >> pg_stat_get_activity and the other pgstatfuncs.c callers is easy to make
> >> and seems acceptable to me; but I would leave pg_signal_backend out of
> >> that discussion, because it has a potentially harmful side effect.  By
> >> requiring SET ROLE you add an extra layer of protection against
> >> mistakes.  (Hopefully, pg_signal_backend() is not a routine thing for
> >> well-run systems, which means human intervention, and therefore the room
> >> for error isn't insignificant.)
> >
> > While I certainly understand where you're coming from, I don't really
> > buy into it.  Yes, cancelling a query (the only thing normal users can
> > do anyway- they can't terminate backends) could mean the loss of any
> > in-progress work, but it's not like 'rm' and I don't see that it needs
> > to require extra hoops for individuals to go through.
>
> It would be weird if it were inconsistent: some things require role
> membership, some things require SET ROLE.  Try explaining that.

I agree..  We already have that distinction, through inherit vs.
noinherit.  I don't think it makes sense to have it also for individual
commands which we feel "might not be as safe".  You could still go
delete all their data w/o a set role if you wanted...
Thanks,
    Stephen