Home > mailing lists

Re: current_role of caller of a DEFINER function - Mailing list pgsql-general

From	Dominique Devienne
Subject	Re: current_role of caller of a DEFINER function
Date	June 26 15:58:44
Msg-id	CAFCRh-__EGUUezjcSNqEJOmr68dKdBMS3hcxqUw8x-ory_NeJA@mail.gmail.com Whole thread Raw
In response to	Re: current_role of caller of a DEFINER function ("David G. Johnston" <david.g.johnston@gmail.com>)
List	pgsql-general

Tree view

On Wed, Jun 26, 2024 at 2:42 PM David G. Johnston
<david.g.johnston@gmail.com> wrote:
> On Wednesday, June 26, 2024, Dominique Devienne <ddevienne@gmail.com> wrote:
>> Only session_user
>> is representative of the caller, and reliable (modulo SUPERUSER and
>> SET AUTHORIZATION, but that's a different story and kinda normal)
>
> Why can you not use session_user then?

Hi. As I already wrote above, the current_role matters in our security model.
The LOGIN user (i.e. session_user) is used only for authentication to
the DB and to connect.
All other security concerns are on other app-maintained (NOLOGIN)
roles, used for authorization. --DD

pgsql-general by date:

From: Isaac Morland
Date: 26 June, 15:58:17
Subject: Re: current_role of caller of a DEFINER function

From: Ron Johnson
Date: 26 June, 16:15:30
Subject: Re: Autovacuum, dead tuples and bloat

Re: current_role of caller of a DEFINER function - Mailing list pgsql-general

Previous

Next