Eric Hanson:
> Did you find some way to prevent RESET ROLE? I once advocated for a NO
> RESET option on SET ROLE [1] so that RESET ROLE would be impossible for
> the rest of the session. Still think it would be helpful.
Yeah, this is still on my list of things to research more about
eventually - currently still unsolved.
For my use-case the NO RESET would need to apply until the end of the
transaction, not end of the session.
I imagine something like an extension, that would:
- block any SET SESSION ROLE
- block any RESET ROLE
- only allow SET LOCAL ROLE when CURRENT_USER has the right to do so
Then the effect of SET LOCAL ROLE would still be reversed at the end of
the transaction, but you could never "escape" a SET LOCAL ROLE that was
set earlier.
Best,
Wolfgang