Re: Index build temp files

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> IIRC, we do have mechanism now whereby a superuser can establish settings
> for SUSET variables via ALTER ROLE SET/ALTER DATABASE SET, and
> everything works as expected.

I'm not entirely convinced that it works as expected, at least for
temp_tablespaces currently. This was a bit surprising to me:

=# alter user test_role set temp_tablespaces='zz';
NOTICE: tablespace "zz" does not exist
ALTER ROLE
=*# commit;
COMMIT
=# set role test_role;
SET
=*> show temp_tablespaces;
temp_tablespaces
------------------
rn_temp_01
(1 row)

> So the only loss of flexibility here
> would be if you want unprivileged code to be able to set
> temp_tablespaces for itself.

I'm on the fence about this one. I could see that being useful in some
cases when there are a lot of temporary tables being created and you
need more than one tablespace for simple space reasons. It'd be
unfortuante if you had to be a superuser and/or call a superuser
security definer function to handle that situation.

> However, if you want that then it's hard
> to argue that there shouldn't be a permissions check, and then we're
> back into the surprises mentioned previously.

I'm not sure we're going to be able to get away from that.

> It might be possible to compromise on an arrangement whereby tablespace
> permissions checking only occurs if the active value of the variable was
> set by a non-superuser. But TBH that idea fills me with dread --- we
> don't have any other GUCs that work like that, and it seems too likely
> that there would be conceptual or implementation bugs in it.

I don't particularly like that either.

Thanks,

Stephen