SET SESSION AUTHORIZATION (was Re: Real/effective user) - Mailing list pgsql-hackers

From Peter Eisentraut
Subject SET SESSION AUTHORIZATION (was Re: Real/effective user)
Date
Msg-id Pine.LNX.4.30.0104211735070.758-100000@peter.localdomain
Whole thread Raw
In response to Re: Real/effective user  (Peter Eisentraut <peter_e@gmx.net>)
Responses Re: SET SESSION AUTHORIZATION (was Re: Real/effective user)
List pgsql-hackers
I proclaimed:

> Tom Lane writes:
>
> > 1. "real user" = what you originally authenticated to the postmaster.
> >
> > 2. "session user" = what you can SET if your real identity is a superuser.
> >
> > 3. "current user" = effective userid for permission checks.
>
> We could have a Boolean variable "authenticated user is superuser" which
> would serve as the permission to execute SET SESSION AUTHENTICATION, while
> we would not actually be making the identity of the real/authenticated
> user available (so as to not confuse things unnecessarily).

I have implemented this; it seems to do what we need:

$ ~/pg-install/bin/psql -U peter

peter=# set session authorization 'joeblow';
SET VARIABLE
peter=# create table foo (a int);
CREATE
peter=# \dt   List of relationsName  | Type  |  Owner
-------+-------+---------foo   | table | joeblowtest  | table | petertest2 | table | peter
(3 rows)

Libpq's PQuser() can no longer be trusted for up to date information, so
psql's prompt, if set up that way, may be wrong, but I'm not sure whether
this is worth worrying about.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



pgsql-hackers by date:

Previous
From: Paul A Vixie
Date:
Subject: Re: well, now i wish we hadn't gutted the ipv6 support
Next
From: Thomas Lockhart
Date:
Subject: Re: Hardcopy docs available