On Tue, Jan 31, 2012 at 9:10 AM, Yeb Havinga <yebhavinga(at)gmail(dot)com> wrote:
> On 2012-01-31 14:06, Robert Haas wrote:
>> On Tue, Jan 31, 2012 at 4:36 AM, Yeb Havinga<yebhavinga(at)gmail(dot)com> wrote:
>>> What about always allowing a transition to the default / postgresql.conf
>>> configured client label, so in the case of errors, or RESET, the
>>> to this domain is hardcoded to succeed. This would also be useful in
>>> conjunction with a connection pooler. This would still allow the option
>>> prevent a back transition to non-default client labels.
>> I don't think you can make that work, because someone can still
>> attempt to RESET to a different value, and it's still not safe to make
>> that fail.
> But the idea is that if that different value is a (possibly changed into a
> new) allowed default value, a RESET to that new default value will be
> allowed, by definition, because it is a default value.
I'm not sure I follow you. If you're saying that we can make this
work by always allowing the value to be reset, then I agree with you,
but I'm not sure those are the semantics KaiGai wants. For instance,
if a connection pooler does:
SET sepgsql.client_label = 'bob_t';
...and then hands off to the client, the client can then do:
SET sepgsql.client_label = 'alice_t';
....and that's bad. More generally, the system security policy is
designed to answer questions about whether it's OK to transition from
A->B, and the fact that A->B is OK does not mean that B->A is OK, but
our GUC mechanism pretty much forces you to allow both of those
things, or neither.
The Enterprise PostgreSQL Company
In response to
pgsql-hackers by date
|Next:||From: Merlin Moncure||Date: 2012-01-31 14:35:03|
|Subject: Re: JSON for PG 9.2|
|Previous:||From: Robert Haas||Date: 2012-01-31 14:24:45|
|Subject: Re: Group commit, revised|