Re: Proposal: access control jails (and introduction as aspiring GSoC student)

On Mon, Mar 22, 2010 at 10:03 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Robert Haas (robertmhaas@gmail.com) wrote:
>> Sometimes it would be nice to conditionalize queries on a value other
>> than the authenticated role.  I really wish we had some kind of SQL
>> variable support.  Talking out of my rear end:
>
> I certainly agree- having variable support in the backend would
> definitely be nice.  I'd want it to be explicit and distinct from GUCs
> though, unlike the situation we have w/ psql right now.

Agreed.

> All that said,
> I'm not really a huge fan of write-your-own-authorization-system in
> general.  If the existing authorization system isn't sufficient for what
> you want, then let's improve it.  There may be specific cases where
> what's needed is particularly complex, but that's what security definer
> functions are for..

Fortunately this functionality also has other uses, so I don't know
that we really need to decide which of those uses we approve of more
or less.

Does the SQL standard specify anything in this area?

...Robert