Noah Misch <noah@leadboat.com> writes:
> On Sun, Oct 02, 2011 at 06:55:51AM -0400, Robert Haas wrote:
>> On Sat, Oct 1, 2011 at 10:11 PM, Euler Taveira de Oliveira
>> <euler@timbira.com> wrote:
>>> I see. What about passing this decision to DBA? I mean a GUC
>>> can_cancel_session = user, dbowner (default is '' -- only superuser). You
>>> can select one or both options. This GUC can only be changed by superuser.
>> Or how about making it a grantable database-level privilege?
> I think either is overkill. You can implement any policy by interposing a
> SECURITY DEFINER wrapper around pg_cancel_backend().
I'm with Noah on this. If allowing same-user cancels is enough to solve
95% or 99% of the real-world use cases, let's just do that. There's no
very good reason to suppose that a GUC or some more ad-hoc privileges
will solve a large enough fraction of the rest of the cases to be worth
their maintenance effort. In particular, I think both of the above
proposals assume way too much about the DBA's specific administrative
requirements.
regards, tom lane
