On Mon, 2023-09-18 at 12:01 -0400, Robert Haas wrote:
> But with the patch as you have proposed it that's not what happens.
> We
> just end up with two interconnected mechanisms for managing what,
> right now, is managed by a single mechanism. That mechanism is (and I
> think we probably mostly all agree on this) bad. Like really really
> bad. But having more than one mechanism, to me, still seems worse.
I don't want to make an argument of the form "the status quo is really
bad, and therefore my proposal is good". That line of argument is
suspect for good reason.
But if my proposal isn't good enough, and we don't have a clear
alternative, we need to think seriously about how much we've
collectively over-promised and under-delivered on the concept of
privilege separation.
Absent a better idea, we need to figure out a way to un-promise what we
can't do and somehow guide users towards safe practices. For instance,
don't grant the INSERT or UPDATE privilege if the table uses functions
in index expressions or constraints. Also don't touch any table unless
the onwer has SET ROLE privileges on your role already, or the
operation is part of a special carve out (logical replication or a
maintenance command). And don't use the predefined role
pg_write_all_data, because that's unsafe for most imaginable use cases.
Regards,
Jeff Davis
