On 04/30/21 22:00, Mark Dilger wrote:
> Viewing all of this in terms of which controls allow the tenant to escape
> a hypothetical sandbox seems like the wrong approach. Shouldn't we let
> service providers decide which controls would allow the tenant to escape
> the specific sandbox the provider has designed?
I agree that sounds more like the right approach. It seems to me that
in the general case, a provider might conclude that setting foo is
safe in the provider-designed sandbox /if the value being assigned
to it satisfies some provider-determined conditions/.
On 04/30/21 20:02, Chapman Flack wrote:
> So that suggests to me some mechanism where a provider could grant
> setting foo to role bar using validator baz().
>
> Can SUSET GUCs be set from SECURITY DEFINER functions? Maybe there are
> already the pieces to do that, minus some syntax sugar.
The answer seems to be yes: I just created a SECURITY DEFINER function
and used it to change a SUSET-only GUC setting.
So it seems the machinery is already in place with which a provider
could allow a chosen set of SUSET-only GUCs to be set, to values that
satisfy provider-determined conditions, by users in a provider-chosen
role.
Some pretty syntax like GRANT SETTING foo TO ROLE bar WHERE cond;
would simply be sugar on top.
Regards,
-Chap