| From: | "Joel Jacobson" <joel(at)compiler(dot)org> |
|---|---|
| To: | "Pavel Stehule" <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | "Marko Tiikkaja" <marko(at)joh(dot)to>, "PostgreSQL Hackers" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: security_definer_search_path GUC |
| Date: | 2021-06-02 06:44:59 |
| Message-ID: | 9a558d29-e28b-4869-a30f-1568375fd96c@www.fastmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jun 1, 2021, at 18:05, Pavel Stehule wrote:
> I learned programming on Orafce, and I didn't expect any success, so I designed it quickly, and the placing of old Orafce's functions to schemas is messy.
>
> I am sure, if I started again, I would never use pg_catalog or public schema. I think if somebody uses schema, then it is good to use schema for all without exceptions - but it expects usage of search_path. I am not sure if using public schema or using search_path are two sides of one thing.
I think you're right they both try to provide solutions to the same problem, i.e. when wanting to avoid having to fully-qualify.
However, they are very different, and while I think the 'public' schema is a great idea, I think 'search_path' has some serious problems. I'll explain why:
'search_path' is a bit like a global variable in C, that can change the behaviour of the SQL commands executed.
It makes unqualified SQL code context-sensitive; you don't know by looking at a piece of code what objects are referred to, you also need to figure out what the active search_path is at this place in the code.
'public' schema if used (without ever changing the default 'search_path'), allows creating unqualified database objects, which I think can be useful in at least three situations:
1) when the application is a monolith inside a company, when there is only one version of the database, i.e. not having to worry about name collision with other objects in some other version, since the application is hidden in the company and the schema design is not exposed to the public
2) when installing a extension that uses schemas, when wanting the convenience of unqualified access to some functions frequently used, instead of adding its schema to the search_path for convenience, one can instead add wrapper-functions in the 'public' schema. This way, all internal functions in the extension, that are not meant to be executed by users, are still hidden in its schema and won't bother anyone (i.e. can't cause unexpected conflicts). Of course, access can also be controlled via REVOKE EXECUTE ... FROM PUBLIC for such internal functions, which is probably a good idea as well.
In a similar way, specific tables in the extension's schema can be made unqualified as well by adding simple views, installed in the public schema, if insisting on unqualified convenience.
In conclusion:
The main difference is 'public' makes it possible to make *specific* objects unqualified,
while 'search_path' makes *all* objects in such schema(s) unqualified.
/Joel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2021-06-02 07:07:18 | Re: security_definer_search_path GUC |
| Previous Message | Dilip Kumar | 2021-06-02 06:44:23 | Re: [BUG]Update Toast data failure in logical replication |