Re: Standards compliance of SET ROLE / SET SESSION AUTHORIZATION

On 2/14/20 4:01 PM, Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> It wouldn't be difficult to introduce a new protocol-level option that
>> prohibits RESET SESSION AUTHORIZATION; and it would also be possible
>> to introduce a new protocol message that has the same effect as RESET
>> SESSION AUTHORIZATION. If you do those two things, then it's possible
>> to create a sandbox which the end client cannot escape but which the
>> pooler can escape easily.
> ...
>     SET SESSION AUTHORIZATION foo PERMANENT;
> ...  A protocol-level message
> to set session auth could also be possible, of course.

I'll once again whimper softly and perhaps ineffectually that an
SQL-exposed equivalent like

 SET SESSION AUTHORIZATION foo WITH RESET COOKIE 'lkjhikuhoihkihlj';

would seem to suit the same purpose, with the advantage of being
immediately usable by any kind of front- or middle-end code the
instant there is a server version that supports it, without having
to wait for something new at the protocol level to trickle through
to n different driver implementations.

Regards,
-Chap