On Tue, Mar 27, 2012 at 02:58:26PM +0200, Magnus Hagander wrote:
> On Tue, Mar 27, 2012 at 11:04, Noah Misch <noah@leadboat.com> wrote:
> > On Mon, Mar 26, 2012 at 07:53:25PM -0400, Robert Haas wrote:
> >> I think the more important question is a policy question: do we want
> >> it to work like this? ?It seems like a policy question that ought to
> >> be left to the DBA, but we have no policy management framework for
> >> DBAs to configure what they do or do not wish to allow. ?Still, if
> >> we've decided it's OK to allow cancelling, I don't see any real reason
> >> why this should be treated differently.
> >
> > The DBA can customize policy by revoking public execute permissions on
> > pg_catalog.pg_terminate_backend and interposing a security definer function
> > implementing his checks. ?For the population who will want something different
> > here, that's adequate.
>
> Well, by that argument, we can keep pg_terminate_backend superuser
> only and have the user wrap a security definer function around it to
> *get* it, no?
Yes. However, if letting users terminate their own backends makes for a
better default, we should still make it so.
