Re: AIO v2.5
| От | Melanie Plageman |
|---|---|
| Тема | Re: AIO v2.5 |
| Дата | |
| Msg-id | CAAKRu_YCUOBRJoKu6=nPS2i9-ROcaYgeTxaSevLzdyV6BgcG5A@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: AIO v2.5 (Andres Freund <andres@anarazel.de>) |
| Список | pgsql-hackers |
On Sat, Mar 29, 2025 at 2:25 PM Andres Freund <andres@anarazel.de> wrote: > > I think I found an issue with this one - as it stands the view was viewable by > everyone. While it doesn't provide a *lot* of insight, it still seems a bit > too much for an unprivileged user to learn what part of a relation any other > user is currently reading. > > There'd be two different ways to address that: > 1) revoke view & function from public, grant to a limited role (presumably > pg_read_all_stats) > 2) copy pg_stat_activity's approach of using something like > > #define HAS_PGSTAT_PERMISSIONS(role) (has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(),role)) > > on a per-IO basis. Is it easier to later change it to be more restrictive or less? If it is easier to later lock it down more, then go with 2, otherwise go with 1? - Melanie
В списке pgsql-hackers по дате отправления: