Re: Allow placeholders in ALTER ROLE w/o superuser - Mailing list pgsql-hackers

From Alexander Korotkov
Subject Re: Allow placeholders in ALTER ROLE w/o superuser
Date
Msg-id CAPpHfdukNbP_imp8FNjOryB7H4a7REW1e-48JxQeoiCqBJVuzg@mail.gmail.com
Whole thread Raw
In response to Re: Allow placeholders in ALTER ROLE w/o superuser  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Allow placeholders in ALTER ROLE w/o superuser
List pgsql-hackers
On Sat, Nov 19, 2022 at 12:41 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> ... BTW, re-reading the commit message for a0ffa885e:
>
>     One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege
>     --- one could wish that those were handled by a revocable grant to
>     PUBLIC, but they are not, because we couldn't make it robust enough
>     for GUCs defined by extensions.
>
> it suddenly struck me to wonder if the later 13d838815 changed the
> situation enough to allow revisiting that problem, and/or if storing
> the source role's OID in pg_db_role_setting would help.
>
> I don't immediately recall all the problems that led us to leave USERSET
> GUCs out of the feature, so maybe this is nuts; but maybe it isn't.
> It'd be worth considering if we're trying to improve matters here.

I think if we implement the user-visible USERSET flag for ALTER ROLE,
then we might just check permissions for such parameters from the
target role.

------
Regards,
Alexander Korotkov



pgsql-hackers by date:

Previous
From: Alexander Korotkov
Date:
Subject: Re: Allow placeholders in ALTER ROLE w/o superuser
Next
From: Tom Lane
Date:
Subject: Re: test/modules/test_oat_hooks vs. debug_discard_caches=1