Re: Additional role attributes && superuser review

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > ... Lastly, there is the question of pg_cancel_backend and
> > pg_terminate_backend. My thinking on this is to create a new
> > 'pg_signal_backend' which admins could grant access to and leave the
> > existing functions alone (modulo the change for has_privs_of_role as
> > discussed previously). We'd rename the current 'pg_signal_backend' to
> > something else (maybe '_helper'); it's not exposed anywhere and
> > therefore renaming it shouldn't cause any heartache.
>
> That seems fairly ugly. Why would we need a new, duplicative function
> here? (Apologies if the reasoning was spelled out upthread, I've not
> been paying much attention.)

Currently, those functions allow users to signal backends which are
owned by them, which means they can be used by anyone. Simply
REVOKE'ing access to them would remove that capability and an admin who
then GRANT's access to the function would need to understand that
they're allowing that user the ability to cancel/terminate any backends
(except those initiated by superusers, at least if we keep that check as
discussed upthread).

If those functions just had simply superuser() checks that prevented
anyone else from using them then this wouldn't be an issue.

REVOKE'ing access *without* removing the permissions checks would defeat
the intent of these changes, which is to allow an administrator to grant
the ability for a certain set of users to cancel and/or terminate
backends started by other users, without also granting those users
superuser rights.

Thanks!

Stephen