Tom Lane writes:
> 1. "real user" = what you originally authenticated to the postmaster.
>
> 2. "session user" = what you can SET if your real identity is a superuser.
>
> 3. "current user" = effective userid for permission checks.
We could have a Boolean variable "authenticated user is superuser" which
would serve as the permission to execute SET SESSION AUTHENTICATION, while
we would not actually be making the identity of the real/authenticated
user available (so as to not confuse things unnecessarily).
> if a setuid function
> does a CREATE, shouldn't the created object be owned by the setuid user?
> I'm not sure that I *want* to accept the SQL spec on this point.
Me neither.
--
Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter