Antonios Christofides <anthony@itia.ntua.gr> writes:
> In PostgreSQL there are actually up to THREE users active, not two:
> - The user who connected, which I shall call "connected user".
> - The user who became effective as the result of "alter session
> authorization" command. This is the user returned by session_user.
> - The user who is applicable for permission checking, current_user.
> If you try to "alter session authorization", PostgreSQL uses the
> "connected user" to determine whether you have permission to do so (or,
> at least, remembers that you initially connected as superuser). The
> current user is used in most other cases of permission checking.
[ looks at code... ] It does remember the original userid (which is
called AuthenticatedUser in the code), but AFAICT the only thing that
is actually used is knowledge of whether that userid is a superuser.
> The 7.4 manual, however, says that the session_user "is the user that
> initiated a database connection", and fails to mention "alter session
> authorization". Is the manual in error or the implementation?
The manual could stand improvement, evidently. I think this stuff is
correctly described in the vicinity of SET SESSION AUTHORIZATION, but
the status-function documentation sounds like it needs work. Feel free
to send in a docs patch ...
regards, tom lane