Re: pg_cancel_backend by non-superuser

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Noah Misch <noah(at)leadboat(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Euler Taveira de Oliveira <euler(at)timbira(dot)com>, Daniel Farina <daniel(at)heroku(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_cancel_backend by non-superuser
Date: 2011-10-02 21:32:33
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Noah Misch <noah(at)leadboat(dot)com> writes:
> On Sun, Oct 02, 2011 at 06:55:51AM -0400, Robert Haas wrote:
>> On Sat, Oct 1, 2011 at 10:11 PM, Euler Taveira de Oliveira
>> <euler(at)timbira(dot)com> wrote:
>>> I see. What about passing this decision to DBA? I mean a GUC
>>> can_cancel_session = user, dbowner (default is '' -- only superuser). You
>>> can select one or both options. This GUC can only be changed by superuser.

>> Or how about making it a grantable database-level privilege?

> I think either is overkill. You can implement any policy by interposing a
> SECURITY DEFINER wrapper around pg_cancel_backend().

I'm with Noah on this. If allowing same-user cancels is enough to solve
95% or 99% of the real-world use cases, let's just do that. There's no
very good reason to suppose that a GUC or some more ad-hoc privileges
will solve a large enough fraction of the rest of the cases to be worth
their maintenance effort. In particular, I think both of the above
proposals assume way too much about the DBA's specific administrative

regards, tom lane

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2011-10-02 21:35:31 Re: [REVIEW] pg_last_xact_insert_timestamp
Previous Message Tom Lane 2011-10-02 21:25:19 Re: build times