> On 2 Jan 2024, at 18:36, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Sun, Dec 31, 2023 at 2:20 PM Joe Conway <mail@joeconway.com> wrote:
>> On 12/30/23 17:19, Michał Kłeczek wrote:
>>>> On 30 Dec 2023, at 17:16, Eric Hanson <eric@aquameta.com> wrote:
>>>>
>>>> What do you think of adding a NO RESET option to the SET ROLE command?
>>>
>>> What I proposed some time ago is SET ROLE … GUARDED BY ‘password’, so
>>> that you could later: RESET ROLE WITH ‘password'
>>
>> I like that too, but see it as a separate feature. FWIW that is also
>> supported by the set_user extension referenced elsewhere on this thread.
>
> IMHO, the best solution here would be a protocol message to change the
> session user. The pooler could use that repeatedly on the same
> session, but refuse to propagate such messages from client
> connections.
I think that is a different use case and both are needed.
In my case I have scripts that I want to execute with limited privileges
and make sure the scripts cannot escape the sandbox via RESET ROLE.
Thanks,
Michal