> On 13 Feb 2020, at 23:55, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Is this being worked on for the 13 cycle such that it should be an open item?
> Given the current behavior of SET ROLE and SET SESSION AUTHORIZATION,
> I don't actually see any way that we could get these features to
> play together. SET SESSION AUTHORIZATION insists on the originally
> authenticated user being a superuser, so that the documented point of
> --role (to allow you to start the restore from a not-superuser role)
> isn't going to work. I thought about starting to use SET ROLE for
> both purposes, but it checks whether you have role privilege based
> on the session userid, so that a previous SET ROLE doesn't get you
> past that check even if it was a successful SET ROLE to a superuser.
>
> The quick-and-dirty answer is to disallow these switches from being
> used together in pg_restore, and I'm inclined to think maybe we should
> do that in the back branches.
..or should we do this for v13 and back-branches and leave fixing it for 14?
Considering the potential invasiveness of the fix I think the latter sounds
rather appealing at this point in the cycle. Something like the attached
should be enough IIUC.
cheers ./daniel
