Re: Granting SET and ALTER SYSTE privileges for GUCs

> On Mar 6, 2022, at 3:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Mark Dilger <mark.dilger@enterprisedb.com> writes:
>> The existing patch allows grants on unknown gucs, because it can't know what guc an upgrade script will introduce,
andthe grant statement may need to execute before the guc exists. 
>
> Yeah, that's the problematic case.  It might mostly work to assume that
> an unknown GUC has an empty default ACL.  This could fail to retain the
> default PUBLIC SET permission if it later turns out the GUC is USERSET

On further reflection, I concluded this isn't needed.  No current extension, whether in-core or third party, expects to
beable to create a new GUC and then grant or revoke permissions on it.  They can already specify the guc context
(PGC_USERS,etc).  Introducing a feature that depends on the dubious assumption that unrecognized GUCs will turn out to
beUSERSET doesn't seem warranted. 

The patch attributes all grants of setting privileges to the bootstrap superuser.  Only superusers can grant or revoke
privilegeson settings, and all settings are implicitly owned by the bootstrap superuser because there is no explicit
ownerassociated with settings.  Consequently, select_best_grantor(some_superuser, ..., BOOTSTRAP_SUPERUSERID, ...)
alwayschooses the bootstrap superuser.  I don't see a problem with this, but wouldn't mind a second opinion.  Some
peoplemight find it surprising when viewing the pg_setting_acl.setacl field. 



—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company