Robert Haas <robertmhaas@gmail.com> writes:
> I think the more important question is a policy question: do we want
> it to work like this? It seems like a policy question that ought to
> be left to the DBA, but we have no policy management framework for
> DBAs to configure what they do or do not wish to allow. Still, if
> we've decided it's OK to allow cancelling, I don't see any real reason
> why this should be treated differently.
Right now the only thing you can do to lock down pg_cancel_backend is
to make sure non-mutually-trusting users aren't given the same user ID.
Which, well, duh. Somebody with your user ID can probably do a lot more
damage than just cancelling your queries/sessions.
I do wonder though (and am too lazy to go look) whether the
pg_cancel_backend check is a strict user ID match or it allows
member-of-role matches. We might want to think a bit more carefully
about the implications if it's the latter.
regards, tom lane