On Thu, Nov 4, 2021 at 12:03 PM Jeff Davis <pgsql@j-davis.com> wrote:
> The approach of using a function's ACL to represent the ACL of a
> higher-level command (as in this patch) does feel right to me. It feels
> like something we might extend to similar situations in the future; and
> even if we don't, it seems like a clean solution in isolation.
It feels wrong to me. I realize that it's convenient to be able to
re-use the existing GRANT and REVOKE commands that we have for
functions, but actually DDL interfaces are better than SQL functions,
because the syntax can be richer and you can avoid things like needing
to take a snapshot. This particular patch dodges that problem, which
is both a good thing and also clever, but it doesn't really make me
feel any better about the concept in general.
I think that the ongoing pressure to reduce as many things as possible
to function permissions checks is ultimately going to turn out to be
an unpleasant dead end. But by the time we reach that dead end we'll
have put so much effort into making it work that it will be hard to
change course, for backward-compatibility reasons among others.
I don't have anything specific to propose, which I realize is kind of
unhelpful ... but I don't like this, either.
--
Robert Haas
EDB: http://www.enterprisedb.com
