Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> That seems fairly ugly. Why would we need a new, duplicative function
>> here? (Apologies if the reasoning was spelled out upthread, I've not
>> been paying much attention.)
> Currently, those functions allow users to signal backends which are
> owned by them, which means they can be used by anyone. Simply
> REVOKE'ing access to them would remove that capability and an admin who
> then GRANT's access to the function would need to understand that
> they're allowing that user the ability to cancel/terminate any backends
> (except those initiated by superusers, at least if we keep that check as
> discussed upthread).
> If those functions just had simply superuser() checks that prevented
> anyone else from using them then this wouldn't be an issue.
> REVOKE'ing access *without* removing the permissions checks would defeat
> the intent of these changes, which is to allow an administrator to grant
> the ability for a certain set of users to cancel and/or terminate
> backends started by other users, without also granting those users
> superuser rights.
I see: we have two different use-cases and no way for GRANT/REVOKE
to manage both cases using permissions on a single object. Carry
on then.
regards, tom lane
