Re: pg_parameter_aclcheck() and trusted extensions

On Thu, Jul 07, 2022 at 12:41:00PM -0400, Tom Lane wrote:
> Yeah.  So the fix here seems pretty obvious: rather than applying the
> permissions check using bare GetUserId(), we need to remember the role
> OID that originally applied the setting, and use that.

Please ignore my previous message.  This makes sense.

> The problem with this sketch is that
> 
> (1) we need an OID field in struct config_generic, as well as GucStack,
> which means an ABI break for any extensions that look directly at GUC
> records.  There probably aren't many, but ...
> 
> (2) we need an additional parameter to set_config_option, which
> again is a compatibility break for anything calling that directly.
> There surely are such callers --- our own extensions do it.
> 
> Can we get away with doing these things in beta3?  We could avoid
> breaking (2) in the v15 branch by making set_config_option into
> a wrapper around set_config_option_ext, or something like that;
> but the problem with struct config_generic seems inescapable.
> (Putting the new field at the end would solve nothing, since
> config_generic is embedded into larger structs.)
> 
> The alternative to API/ABI breaks seems to be to revert the
> feature, which would be sad.

I personally lean more towards the compatibility break than reverting the
feature.  There are still a couple of months before 15.0, and I suspect it
won't be too difficult to fix any extensions that break because of this.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com