| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | Craig Ringer <craig(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, Harold Giménez <harold(at)heroku(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: proposal: hide application_name from other users |
| Date: | 2014-01-22 01:00:51 |
| Message-ID: | 20140122010051.GT31026@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Josh Berkus (josh(at)agliodbs(dot)com) wrote:
> It would be really nice to be able to GRANT/REVOKE on some of these
> special system views ...
Well, we actually *can* issue grant/revoke against the underlying
function calls, but we are also doing permissions checks *in* those
functions, ignoring our own GRANT system.
Don't know what folks think of removing those in-the-function checks in
favor of trusting the grant/revoke system to not allow those functions
to be called unless you have EXECUTE privileges on them.. I've not
really tried to look at if that'd work or not, but if we could do that,
it'd certainly give admins a great deal more flexibility to control who
has access to what calls.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2014-01-22 01:08:27 | Re: proposal: hide application_name from other users |
| Previous Message | Andres Freund | 2014-01-22 00:58:12 | Re: Hard limit on WAL space used (because PANIC sucks) |