Home > mailing lists

Re: Switching roles as an replacement of connection pooling tools - Mailing list pgsql-general

From	Tom Lane
Subject	Re: Switching roles as an replacement of connection pooling tools
Date	May 31, 2016 17:48:56
Msg-id	2370.1464706126@sss.pgh.pa.us Whole thread Raw
In response to	Re: Switching roles as an replacement of connection pooling tools ("David G. Johnston" <david.g.johnston@gmail.com>)
Responses	Re: Switching roles as an replacement of connection pooling tools ("David G. Johnston" <david.g.johnston@gmail.com>)
List	pgsql-general

Tree view

"David G. Johnston" <david.g.johnston@gmail.com> writes:
> Is there a reason something "SET ROLE ... WITH SETTINGS" couldn't be
> implemented?

Unless there's something underlying that proposal that I'm not seeing,
it only deals with one of the problems in this area.  The security-
related issues remain unsolved.

AFAICS there's a pretty fundamental tension here around the question
of how hard it is to revert to the original role.  If it's not possible
to do that then a connection pooler can't serially reuse a connection for
different users, which largely defeats the point.  If it is possible, how
do you keep that from being a security hole, ie one of the pool users can
gain privileges of another one?

(And, btw, I repeat that all of this has been discussed before on our
lists.)

            regards, tom lane

pgsql-general by date:

From: Achilleas Mantzios
Date: 31 May 2016, 17:37:44
Subject: Re: Switching roles as an replacement of connection pooling tools

From: "David G. Johnston"
Date: 31 May 2016, 18:05:22
Subject: Re: Switching roles as an replacement of connection pooling tools

Re: Switching roles as an replacement of connection pooling tools - Mailing list pgsql-general

Previous

Next