Re: [HACKERS] proposal: session server side variables
От | Fabien COELHO |
---|---|
Тема | Re: [HACKERS] proposal: session server side variables |
Дата | |
Msg-id | alpine.DEB.2.20.1612261601180.4911@lancre обсуждение исходный текст |
Ответ на | Re: [HACKERS] proposal: session server side variables (Pavel Stehule <pavel.stehule@gmail.com>) |
Ответы |
Re: [HACKERS] proposal: session server side variables
|
Список | pgsql-hackers |
Hello Pavel, >> SET ROLE Admin; >> DECLARE @secure_variable INTEGER RESTRICT; -- only accessible to Admin > Why introduce another security system? That is a good question. I would prefer to avoid it and just have simple session variables... but this is not what you want, so I'm trying to find a compromise which both gives you the feature you are seeking and would keep session variables as inexpensive, i.e. without catalog costs. A simplistic PUBLIC/PRIVATE permissions on simple session variable can be done with nothing (no additional data structures): (store: hash_put(<owner id if private or nothing> || '@varname', value); consult: if exists(<owner id> || '@varname') then return it else if exists('@varname') then return it else "error variable does not exist"). Now if you can offer an inexpensive GRANT/REVOKE on simple session variables, i.e. without catalog changes, then I think I would agree to it, even if I would not like it much. The reason I "do not like much" is subjective. I associate SQL permission commands (GRANT, REVOKE...) to real SQL "objects" (i.e. persistent, transactional, secured things subject to CREATE ALTER DROP...). However light-weight session variables are not really like that. Also if you can have inexpensive GRANT/REVOKE then probably I would also have to accept "CREATE SESSION VARIABLE @foo", because it would be consistent to have it with GRANT/REVOKE. I would "not like it much" either to have CREATE for an non persistant object, but that is life... However I understood that for permissions you do need "pg_class", which means catalog changes on session variable creation, which means expensive for simple session variables, so not desirable. -- Fabien.
В списке pgsql-hackers по дате отправления: