On 2014-01-21 20:00:51 -0500, Stephen Frost wrote:
> * Josh Berkus (josh@agliodbs.com) wrote:
> > It would be really nice to be able to GRANT/REVOKE on some of these
> > special system views ...
Just define a security definer wrapper function + view, that afair works
perfectly fine.
> Well, we actually *can* issue grant/revoke against the underlying
> function calls, but we are also doing permissions checks *in* those
> functions, ignoring our own GRANT system.
> Don't know what folks think of removing those in-the-function checks in
> favor of trusting the grant/revoke system to not allow those functions
> to be called unless you have EXECUTE privileges on them..
Well, they *do* return some information when called without superuser
privileges. Just not all columns for all sessions. I don't think you can
achieve that with anything in our permission system.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services