* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> IIRC, we do have mechanism now whereby a superuser can establish settings
> for SUSET variables via ALTER ROLE SET/ALTER DATABASE SET, and
> everything works as expected.
I'm not entirely convinced that it works as expected, at least for
temp_tablespaces currently. This was a bit surprising to me:
=# alter user test_role set temp_tablespaces='zz';
NOTICE: tablespace "zz" does not exist
ALTER ROLE
=*# commit;
COMMIT
=# set role test_role;
SET
=*> show temp_tablespaces;temp_tablespaces
------------------rn_temp_01
(1 row)
> So the only loss of flexibility here
> would be if you want unprivileged code to be able to set
> temp_tablespaces for itself.
I'm on the fence about this one. I could see that being useful in some
cases when there are a lot of temporary tables being created and you
need more than one tablespace for simple space reasons. It'd be
unfortuante if you had to be a superuser and/or call a superuser
security definer function to handle that situation.
> However, if you want that then it's hard
> to argue that there shouldn't be a permissions check, and then we're
> back into the surprises mentioned previously.
I'm not sure we're going to be able to get away from that.
> It might be possible to compromise on an arrangement whereby tablespace
> permissions checking only occurs if the active value of the variable was
> set by a non-superuser. But TBH that idea fills me with dread --- we
> don't have any other GUCs that work like that, and it seems too likely
> that there would be conceptual or implementation bugs in it.
I don't particularly like that either.
Thanks,
Stephen
