Hello,
> Obviously each "user" could use RESET ROLE and become the super user.
Yes, this is a point not to forget, but isn't an issue in our case.
best regards,
Marc Mamin
From: Derrick Rice [mailto:derrick.rice@gmail.com]
Sent: Samstag, 4. Dezember 2010 00:21
To: Marc Mamin
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] RESET ROLE and search_path, Connection pool
On Fri, Dec 3, 2010 at 5:13 AM, Marc Mamin <M.Mamin@intershop.de> wrote:
Hello,
We are thinking about using a (java based) connection pool.
An issue is that there are many different users to connect.
My idea is to only have superuser connections in the pool
and change the connection role (with SET ROLE) each time
a user pick a connection there.
Tangential to your question, but important:
Obviously each "user" could use RESET ROLE and become the super user. This means that every piece of code that uses
thispool needs to have security appropriate for code using the super user. i.e. "Whatever, it's just using a read-only
role,nothing bad can happen" is no longer a valid argument (if it ever was).
Do you have that much faith / trust in every "user"?
* "user" in quotes because I'm guessing you are referring to different portions of your application / application suite
andhopefully not individual persons.
Derrick
