Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> (In other words, it's not that hard to build
>> a "RUN AS other-user" feature into a C function, even without any support
>> from the rest of the system.)
> I was considering this and a bit concerned about what would happen if
> the C function actually did this and if we'd clean things up properly at
> the end or if the function would be required to handle that clean-up
> (if it was written as SECUURITY INVOKER, which is what's being suggested
> here)...
It would have to remember to restore the previous role on normal exit,
but I believe that the system would take care of cleanup if an error is
thrown. Looking at fmgr_security_definer, there are just a couple of
lines involved with changing the active role. (There's a boatload of
*other* crap that's been shoved into that function over time, but the
part of it that actually does what it's named for is pretty darn small.)
> Alvaro's point about the discussion of a stack of roles is certainly
> something else to consider, though I feel that the 'run-as' option is
> pretty straight-forward and could be done more-or-less identically to
> how we do secuirty definer now, it's just changing where we get the role
> to change to before running the function.
Yes, it would surely not be much more code, just a bit added here:
if (procedureStruct->prosecdef) fcache->userid = procedureStruct->proowner;
regards, tom lane