Thread: is_superuser is not documented
Hi! is_superuser function checks whether a user is a superuser or not, and is commonly used. However, is_superuser is not documented and is set to UNGROUPED in guc.c. I think is_superuser should be added to the documentation and set to PRESET OPTIONS.What are you thought on this? Regards, Kotaro Kawmaoto
On Fri, Sep 9, 2022, at 2:28 AM, bt22kawamotok wrote:
is_superuser function checks whether a user is a superuser or not, andis commonly used. However, is_superuser is not documented and is set toUNGROUPED in guc.c. I think is_superuser should be added to thedocumentation and set to PRESET OPTIONS.What are you thought on this?
There is no such function. Are you referring to the GUC? I agree that it should
be added to the documentation. The main reason is that it is reported by
ParameterStatus along with some other GUCs described in the Preset Options
section.
postgres=# \dfS is_superuser
List of functions
Schema | Name | Result data type | Argument data types | Type
--------+------+------------------+---------------------+------
(0 rows)
postgres=# SHOW is_superuser;
is_superuser
--------------
on
(1 row)
Do you mind writing a patch?
"Euler Taveira" <euler@eulerto.com> writes: > On Fri, Sep 9, 2022, at 2:28 AM, bt22kawamotok wrote: >> is_superuser function checks whether a user is a superuser or not, and >> is commonly used. However, is_superuser is not documented and is set to >> UNGROUPED in guc.c. I think is_superuser should be added to the >> documentation and set to PRESET OPTIONS.What are you thought on this? > There is no such function. Are you referring to the GUC? I agree that it should > be added to the documentation. If you look at guc.c, it kind of seems intentional that it's undocumented: /* Not for general use --- used by SET SESSION AUTHORIZATION */ {"is_superuser", PGC_INTERNAL, UNGROUPED, gettext_noop("Shows whether the current user is a superuser."), NULL, GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE }, &session_auth_is_superuser, false, NULL, NULL, NULL On the other hand, it seems pretty silly that it's GUC_REPORT if we want to consider it private. I've not checked the git history, but I bet that flag was added later with no thought about context. If we are going to document this then we should at least remove the GUC_NO_SHOW_ALL flag and rewrite the comment. I wonder whether the GUC_NO_RESET_ALL flag is needed either --- seems like the PGC_INTERNAL context protects it sufficiently. regards, tom lane
I wrote: > On the other hand, it seems pretty silly that it's GUC_REPORT if > we want to consider it private. I've not checked the git history, > but I bet that flag was added later with no thought about context. > > If we are going to document this then we should at least remove > the GUC_NO_SHOW_ALL flag and rewrite the comment. I wonder whether > the GUC_NO_RESET_ALL flag is needed either --- seems like the > PGC_INTERNAL context protects it sufficiently. BTW, "session_authorization" has a subset of these same issues: /* Not for general use --- used by SET SESSION AUTHORIZATION */ {"session_authorization", PGC_USERSET, UNGROUPED, gettext_noop("Sets the session user name."), NULL, GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_REST }, &session_authorization_string, NULL, check_session_authorization, assign_session_authorization, NULL I wonder why this one is marked USERSET where the other is not. You'd think both of them need similar special-casing about how to handle SET. regards, tom lane
> On the other hand, it seems pretty silly that it's GUC_REPORT if > we want to consider it private. I've not checked the git history, > but I bet that flag was added later with no thought about context. > > If we are going to document this then we should at least remove > the GUC_NO_SHOW_ALL flag and rewrite the comment. I wonder whether > the GUC_NO_RESET_ALL flag is needed either --- seems like the > PGC_INTERNAL context protects it sufficiently. > I wonder why this one is marked USERSET where the other is not. > You'd think both of them need similar special-casing about how > to handle SET. Thanks for your review. I have created a patch in response to your suggestion. I wasn't sure about USERSET, so I only created documentation for is_superuser. Regards, Kotaro Kawamoto.
Attachment
On 2022/09/12 17:13, bt22kawamotok wrote: >> On the other hand, it seems pretty silly that it's GUC_REPORT if >> we want to consider it private. I've not checked the git history, >> but I bet that flag was added later with no thought about context. >> >> If we are going to document this then we should at least remove >> the GUC_NO_SHOW_ALL flag and rewrite the comment. I wonder whether >> the GUC_NO_RESET_ALL flag is needed either --- seems like the >> PGC_INTERNAL context protects it sufficiently. > >> I wonder why this one is marked USERSET where the other is not. >> You'd think both of them need similar special-casing about how >> to handle SET. SET SESSION AUTHORIZATION command changes the setting of session_authorization by calling set_config_option() with PGC_SUSET/USERSET and PGC_S_SESSION in ExecSetVariableStmt(). So SET SESSION AUTHORIZATION command may fail unless session_authorization uses PGC_USERSET. OTOH, SET SESSION AUTHORIZATION causes to call the assign hook for session_authorization and it changes is_superuser by using PGC_INTERNAL and PGC_S_DYNAMIC_DEFAULT. So is_superuser doesn't need to use PGC_USERSET. I think that session_authorization also can use PGC_INTERNAL if we add the special-handling in SET SESSION AUTHORIZATION command. But it seems a bit overkill to me. > Thanks for your review. > > I have created a patch in response to your suggestion. > I wasn't sure about USERSET, so I only created documentation for is_superuser. Thanks for the patch! + <varlistentry id="guc-is-superuser" xreflabel="is_superuser"> + <term><varname>is_superuser</varname> (<type>boolean</type>) You need to add this entry just after that of "in_hot_standby" because the descriptions of preset parameters should be placed in alphabetical order in the docs. + <para> + Reports whether the user is superuser or not. Isn't it better to add "current" before "user", e.g., "Reports whether the current user is a superuser"? /* Not for general use --- used by SET SESSION AUTHORIZATION */ - {"is_superuser", PGC_INTERNAL, UNGROUPED, + {"is_superuser", PGC_INTERNAL, PRESET_OPTIONS, This comment should be rewritten or removed because "Not for general use" part is not true. - GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE + GUC_REPORT | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE As Tom commented upthread, GUC_NO_RESET_ALL flag should be removed because it's not necessary when PGC_INTERNAL context (i.e., in this context, RESET ALL is prohibit by defaulted) is used. With the patch, make check failed. You need to update src/test/regress/expected/guc.out. <varlistentry> <term><literal>IS_SUPERUSER</literal></term> <listitem> <para> True if the current role has superuser privileges. </para> I found that the docs of SET command has the above description about is_superuser. This description seems useless if we document the is_superuser GUC itself. So isn't it better to remove this description? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
> Thanks for the patch! > > > + <varlistentry id="guc-is-superuser" xreflabel="is_superuser"> > + <term><varname>is_superuser</varname> (<type>boolean</type>) > > You need to add this entry just after that of "in_hot_standby" because > the descriptions of preset parameters should be placed in alphabetical > order in the docs. > > > + <para> > + Reports whether the user is superuser or not. > > Isn't it better to add "current" before "user", e.g., > "Reports whether the current user is a superuser"? > > > /* Not for general use --- used by SET SESSION AUTHORIZATION */ > - {"is_superuser", PGC_INTERNAL, UNGROUPED, > + {"is_superuser", PGC_INTERNAL, PRESET_OPTIONS, > > This comment should be rewritten or removed because "Not for general > use" part is not true. > > > - GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | > GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE > + GUC_REPORT | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | > GUC_DISALLOW_IN_FILE > > As Tom commented upthread, GUC_NO_RESET_ALL flag should be removed > because it's not necessary when PGC_INTERNAL context (i.e., in this > context, > RESET ALL is prohibit by defaulted) is used. > > > With the patch, make check failed. You need to update > src/test/regress/expected/guc.out. > > > <varlistentry> > <term><literal>IS_SUPERUSER</literal></term> > <listitem> > <para> > True if the current role has superuser privileges. > </para> > > I found that the docs of SET command has the above description about > is_superuser. > This description seems useless if we document the is_superuser GUC > itself. So isn't > it better to remove this description? Thank you for your review. I create new patch add_document_is_superuser_v2. please check it. Regards, Kotaro Kawamoto
Attachment
On 2022/09/13 17:25, bt22kawamotok wrote: > >> Thanks for the patch! >> >> >> + <varlistentry id="guc-is-superuser" xreflabel="is_superuser"> >> + <term><varname>is_superuser</varname> (<type>boolean</type>) >> >> You need to add this entry just after that of "in_hot_standby" because >> the descriptions of preset parameters should be placed in alphabetical >> order in the docs. >> >> >> + <para> >> + Reports whether the user is superuser or not. >> >> Isn't it better to add "current" before "user", e.g., >> "Reports whether the current user is a superuser"? >> >> >> /* Not for general use --- used by SET SESSION AUTHORIZATION */ >> - {"is_superuser", PGC_INTERNAL, UNGROUPED, >> + {"is_superuser", PGC_INTERNAL, PRESET_OPTIONS, >> >> This comment should be rewritten or removed because "Not for general >> use" part is not true. >> >> >> - GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | >> GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE >> + GUC_REPORT | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE >> >> As Tom commented upthread, GUC_NO_RESET_ALL flag should be removed >> because it's not necessary when PGC_INTERNAL context (i.e., in this context, >> RESET ALL is prohibit by defaulted) is used. >> >> >> With the patch, make check failed. You need to update >> src/test/regress/expected/guc.out. >> >> >> <varlistentry> >> <term><literal>IS_SUPERUSER</literal></term> >> <listitem> >> <para> >> True if the current role has superuser privileges. >> </para> >> >> I found that the docs of SET command has the above description about >> is_superuser. >> This description seems useless if we document the is_superuser GUC >> itself. So isn't >> it better to remove this description? > > Thank you for your review. > I create new patch add_document_is_superuser_v2. > please check it. Thanks for updating the patch! The patch looks good to me. - /* Not for general use --- used by SET SESSION AUTHORIZATION */ {"session_authorization", PGC_USERSET, UNGROUPED, If we don't document session_authorization and do expect that it's usually used by SET/SHOW SESSION AUTHORIZATION, this comment doesn't need to be removed, I think. Could you register this patch into the next Commit Fest so that we don't forget it? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
> Thanks for updating the patch! > > The patch looks good to me. > > - /* Not for general use --- used by SET SESSION AUTHORIZATION */ > {"session_authorization", PGC_USERSET, UNGROUPED, > > If we don't document session_authorization and do expect that > it's usually used by SET/SHOW SESSION AUTHORIZATION, > this comment doesn't need to be removed, I think. Thanks for reviewing. I update patch to reflect master update. > Could you register this patch into the next Commit Fest > so that we don't forget it? OK. I will register next Commit Fest. Thank you. Regards, Kotaro Kawamoto
Attachment
On 2022/09/14 14:27, bt22kawamotok wrote: > I update patch to reflect master update. Thanks for updating the patch! + <para> + Shows whether the current user is a superuser or not. + </para> How about adding the note about when this parameter can change, like we do for in_hot_standby docs? I applied this change to the patch. Attached is the updated version of the patch. Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
Attachment
On Thu, Mar 2, 2023 at 11:53 AM Fujii Masao <masao.fujii@oss.nttdata.com> wrote:
>
> On 2022/09/14 14:27, bt22kawamotok wrote:
> > I update patch to reflect master update.
>
> Thanks for updating the patch!
>
> + <para>
> + Shows whether the current user is a superuser or not.
> + </para>
>
> How about adding the note about when this parameter can change,
> like we do for in_hot_standby docs? I applied this change to the patch.
> Attached is the updated version of the patch.
>
I just came across this thread and noticed that the patch was never
merged. There is some brief docs for is_superuser in the SHOW docs:
https://www.postgresql.org/docs/current/sql-show.html, but the GUC
fields were never updated.
Is there a reason that it never got merged or was it just forgotten
about?
- Joe Koshakow
On Thu, Mar 2, 2023 at 12:00:43PM -0500, Joseph Koshakow wrote: > > > On Thu, Mar 2, 2023 at 11:53 AM Fujii Masao <masao.fujii@oss.nttdata.com> > wrote: > > > > On 2022/09/14 14:27, bt22kawamotok wrote: > > > I update patch to reflect master update. > > > > Thanks for updating the patch! > > > > + <para> > > + Shows whether the current user is a superuser or not. > > + </para> > > > > How about adding the note about when this parameter can change, > > like we do for in_hot_standby docs? I applied this change to the patch. > > Attached is the updated version of the patch. > > > > I just came across this thread and noticed that the patch was never > merged. There is some brief docs for is_superuser in the SHOW docs: > https://www.postgresql.org/docs/current/sql-show.html, but the GUC > fields were never updated. > > Is there a reason that it never got merged or was it just forgotten > about? Uh, where are you looking? I see it in the SGML, and in the PG 15 docs: https://www.postgresql.org/docs/current/sql-show.html IS_SUPERUSER True if the current role has superuser privileges. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.
On Wed, Mar 29, 2023 at 5:21 PM Bruce Momjian <bruce@momjian.us> wrote:
>
> On Thu, Mar 2, 2023 at 12:00:43PM -0500, Joseph Koshakow wrote:
> >
> >
> > On Thu, Mar 2, 2023 at 11:53 AM Fujii Masao <masao.fujii@oss.nttdata.com>
> > wrote:
> > >
> > > On 2022/09/14 14:27, bt22kawamotok wrote:
> > > > I update patch to reflect master update.
> > >
> > > Thanks for updating the patch!
> > >
> > > + <para>
> > > + Shows whether the current user is a superuser or not.
> > > + </para>
> > >
> > > How about adding the note about when this parameter can change,
> > > like we do for in_hot_standby docs? I applied this change to the patch.
> > > Attached is the updated version of the patch.
> > >
> >
> > I just came across this thread and noticed that the patch was never
> > merged. There is some brief docs for is_superuser in the SHOW docs:
> > https://www.postgresql.org/docs/current/sql-show.html, but the GUC
> > fields were never updated.
> >
> > Is there a reason that it never got merged or was it just forgotten
> > about?
>
> Uh, where are you looking? I see it in the SGML, and in the PG 15 docs:
>
> https://www.postgresql.org/docs/current/sql-show.html
>
> IS_SUPERUSER
>
> True if the current role has superuser privileges.
The patch updated the guc table for is_superuser in
src/backend/utils/misc/guc_tables.c
- /* Not for general use --- used by SET SESSION AUTHORIZATION */
- {"is_superuser", PGC_INTERNAL, UNGROUPED,
+ {"is_superuser", PGC_INTERNAL, PRESET_OPTIONS,
gettext_noop("Shows whether the current user is a superuser."),
NULL,
- GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
However, when I look at the code on master I don't see this update
/* Not for general use --- used by SET SESSION AUTHORIZATION */
{"is_superuser", PGC_INTERNAL, UNGROUPED,
gettext_noop("Shows whether the current user is a superuser."),
NULL,
GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
Similarly, when running `SHOW ALL` against master I don't see the
is_superuser variable
$ /usr/local/pgsql/bin/psql -c "SHOW ALL" test | grep is_superuser
$
>
> On Thu, Mar 2, 2023 at 12:00:43PM -0500, Joseph Koshakow wrote:
> >
> >
> > On Thu, Mar 2, 2023 at 11:53 AM Fujii Masao <masao.fujii@oss.nttdata.com>
> > wrote:
> > >
> > > On 2022/09/14 14:27, bt22kawamotok wrote:
> > > > I update patch to reflect master update.
> > >
> > > Thanks for updating the patch!
> > >
> > > + <para>
> > > + Shows whether the current user is a superuser or not.
> > > + </para>
> > >
> > > How about adding the note about when this parameter can change,
> > > like we do for in_hot_standby docs? I applied this change to the patch.
> > > Attached is the updated version of the patch.
> > >
> >
> > I just came across this thread and noticed that the patch was never
> > merged. There is some brief docs for is_superuser in the SHOW docs:
> > https://www.postgresql.org/docs/current/sql-show.html, but the GUC
> > fields were never updated.
> >
> > Is there a reason that it never got merged or was it just forgotten
> > about?
>
> Uh, where are you looking? I see it in the SGML, and in the PG 15 docs:
>
> https://www.postgresql.org/docs/current/sql-show.html
>
> IS_SUPERUSER
>
> True if the current role has superuser privileges.
The patch updated the guc table for is_superuser in
src/backend/utils/misc/guc_tables.c
- /* Not for general use --- used by SET SESSION AUTHORIZATION */
- {"is_superuser", PGC_INTERNAL, UNGROUPED,
+ {"is_superuser", PGC_INTERNAL, PRESET_OPTIONS,
gettext_noop("Shows whether the current user is a superuser."),
NULL,
- GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
However, when I look at the code on master I don't see this update
/* Not for general use --- used by SET SESSION AUTHORIZATION */
{"is_superuser", PGC_INTERNAL, UNGROUPED,
gettext_noop("Shows whether the current user is a superuser."),
NULL,
GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
Similarly, when running `SHOW ALL` against master I don't see the
is_superuser variable
$ /usr/local/pgsql/bin/psql -c "SHOW ALL" test | grep is_superuser
$
On 2023/04/01 22:34, Joseph Koshakow wrote: > The patch updated the guc table for is_superuser in > src/backend/utils/misc/guc_tables.c Yes, this patch moves the descriptions of is_superuser to config.sgml and changes its group to PRESET_OPTIONS. > However, when I look at the code on master I don't see this update Yes, the patch has not been committed yet because of lack of review comments. Do you have any review comments on this patch? Or you think it's ready for committer? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
On Mon, Apr 3, 2023 at 10:47 AM Fujii Masao <masao.fujii@oss.nttdata.com> wrote:
> Yes, the patch has not been committed yet because of lack of review comments.
> Do you have any review comments on this patch?
> Or you think it's ready for committer?
I'm not very familiar with this code, so I'm not sure how much my
review is worth, but maybe it will spark some discussion.
> Yes, this patch moves the descriptions of is_superuser to config.sgml
> and changes its group to PRESET_OPTIONS.
is_superuser feels a little out of place in this file. All of
the options here apply to the entire PostgreSQL server, while
is_superuser only applies to the current session. The description of
this file says :
> These options report various aspects of PostgreSQL behavior that
> might be of interest to certain applications, particularly
> administrative front-ends. Most of them are determined when
> PostgreSQL is compiled or when it is installed.
Which doesn't seem to apply to is_superuser. It doesn't affect
the behavior of PostgreSQL, only what the current session is allowed to
do. It's also not determined when PostgreSQL is compiled/installed. Is
there some update that we can make to the description that would make
is_superuser fit in better?
I'm not familiar with the origins of is_superuser and it may be too
late for this, but it seems like is_superuser would fit in much better
as a system information function [0] rather than a GUC. Particularly
in the Session Information Functions.
> - GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
> + GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
This looks good to me. The lack of is_superuser from SHOW ALL has been
a source of confusion to me in the past.
As a side note server_version, server_encoding, lc_collate, and
lc_ctype all appear in both the preset options section of config.sgml
and in show.sgml. I'm not sure what the logic is for just including
these three parameters in show.sgml, but I think we should either
include all of the preset options or none of them.
Thanks,
Joe Koshakow
[0] https://www.postgresql.org/docs/current/functions-info.html
On Sat, Apr 8, 2023 at 10:54 AM Joseph Koshakow <koshy44@gmail.com> wrote: > is_superuser feels a little out of place in this file. All of > the options here apply to the entire PostgreSQL server, while > is_superuser only applies to the current session. The description of > this file says : > > > These options report various aspects of PostgreSQL behavior that > > might be of interest to certain applications, particularly > > administrative front-ends. Most of them are determined when > > PostgreSQL is compiled or when it is installed. > > Which doesn't seem to apply to is_superuser. It doesn't affect > the behavior of PostgreSQL, only what the current session is allowed to > do. I'm not sure I agree with that. I mean, maybe the phrasing could be improved somehow, but "PostgreSQL behavior" as a category seems to include whether or not it lets you do certain things. And, for example, psql will show a > or # in the prompt based on whether you're a superuser. I find "administrative front-end" to be a somewhat odd turn of phrase, but I guess it means general purpose frontends like pgsql or pgAdmin or whatever that you might use to administer the system, as opposed to applications. -- Robert Haas EDB: http://www.enterprisedb.com
On 2023/04/08 23:53, Joseph Koshakow wrote: > > > On Mon, Apr 3, 2023 at 10:47 AM Fujii Masao <masao.fujii@oss.nttdata.com <mailto:masao.fujii@oss.nttdata.com>> wrote: > > Yes, the patch has not been committed yet because of lack of review comments. > > Do you have any review comments on this patch? > > Or you think it's ready for committer? > > I'm not very familiar with this code, so I'm not sure how much my > review is worth, but maybe it will spark some discussion. Thanks for the comments! > > Yes, this patch moves the descriptions of is_superuser to config.sgml > > and changes its group to PRESET_OPTIONS. > > is_superuser feels a little out of place in this file. All of > the options here apply to the entire PostgreSQL server, while > is_superuser only applies to the current session. Aren't other preset options like lc_collate, lc_ctype and server_encoding similar to is_superuser? They seem to behave in a similar way as their settings can be different for each connection depending on the connected database. > I'm not familiar with the origins of is_superuser and it may be too > late for this, but it seems like is_superuser would fit in much better > as a system information function [0] rather than a GUC. Particularly > in the Session Information Functions. I understand your point, but I think it would be more confusing to document is_superuser there because it's defined and behaves differently from session information functions like current_user. For instance, the value of is_superuser can be displayed using SHOW command, while current_user cannot. Therefore, it's better to keep is_superuser separate from the session information functions. > As a side note server_version, server_encoding, lc_collate, and > lc_ctype all appear in both the preset options section of config.sgml > and in show.sgml. I'm not sure what the logic is for just including > these three parameters in show.sgml, but I think we should either > include all of the preset options or none of them. Agreed. I think that it's better to just treat them as GUCs and remove their descriptions from show.sgml. Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
On Tue, Apr 11, 2023 at 9:37 AM Fujii Masao <masao.fujii@oss.nttdata.com> wrote:
> > > Yes, this patch moves the descriptions of is_superuser to config.sgml
> > > and changes its group to PRESET_OPTIONS.
> >
> > is_superuser feels a little out of place in this file. All of
> > the options here apply to the entire PostgreSQL server, while
> > is_superuser only applies to the current session.
>
> Aren't other preset options like lc_collate, lc_ctype and server_encoding
> similar to is_superuser? They seem to behave in a similar way as their
> settings can be different for each connection depending on the connected database.
I think the difference is that all of those options are constant for
all connections to the same database and once the database is created
they are immutable. is_superuser is set on a per session basis and can
be changed at any time.
Looking through the options it actually looks like all the options are
set either when the server is built, the server is started, or the
database is created, and once they're set they become immutable. The
one exception I see is in_hot_standby mode which can be updated from on
to off (I can't remember off the top of my head if it can be updated
the other way). I'm moving the goal post a bit but I think preset may
imply that the value isn't going to change once it's been set.
Having said all that I actually think this is the best place for
is_superuser since it doesn't seem to fit in anywhere else.
> > I'm not familiar with the origins of is_superuser and it may be too
> > late for this, but it seems like is_superuser would fit in much better
> > as a system information function [0] rather than a GUC. Particularly
> > in the Session Information Functions.
>
> I understand your point, but I think it would be more confusing to document
> is_superuser there because it's defined and behaves differently from
> session information functions like current_user. For instance,
> the value of is_superuser can be displayed using SHOW command,
> while current_user cannot. Therefore, it's better to keep is_superuser
> separate from the session information functions.
I was implying that I thought it would have made more sense for
is_superuser to be implemented as a function, behave as a function,
and not be visible via SHOW. However, there may have been a good reason
not to do this and it may already be too late for that.
In my opinion, this is ready to be committed. However, like I said
earlier I'm not very familiar with the GUC code so you may want to
wait for another opinion.
Thanks,
Joe Koshakow
On 2023/04/12 5:41, Joseph Koshakow wrote: > Having said all that I actually think this is the best place for > is_superuser since it doesn't seem to fit in anywhere else. Yeah, I also could not find more appropriate place for is_superuser than there. > I was implying that I thought it would have made more sense for > is_superuser to be implemented as a function, behave as a function, > and not be visible via SHOW. However, there may have been a good reason > not to do this and it may already be too late for that. The is_superuser parameter is currently marked as GUC_REPORT and its value is automatically reported to a client. If we change it to a function, we will need to add functionality to automatically report the return value of the function to a client, which could be overkill. > In my opinion, this is ready to be committed. Thanks! Given that we have already exceeded the feature freeze date, I'm thinking to commit this change at the next CommitFest. Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
I think I may have discovered a reason why is_superuser is
intentionally undocumented. is_superuser is not updated if a role's
superuser attribute is changed by another session. Therefore,
is_superuser may show you an incorrect stale value.
Perhaps this can be fixed with a show_hook? Otherwise it's probably
best not to document a GUC that can show an incorrect value.
- Joe Koshakow
intentionally undocumented. is_superuser is not updated if a role's
superuser attribute is changed by another session. Therefore,
is_superuser may show you an incorrect stale value.
Perhaps this can be fixed with a show_hook? Otherwise it's probably
best not to document a GUC that can show an incorrect value.
- Joe Koshakow
On 2023/06/07 23:15, Joseph Koshakow wrote: > I think I may have discovered a reason why is_superuser is > intentionally undocumented. is_superuser is not updated if a role's > superuser attribute is changed by another session. Therefore, > is_superuser may show you an incorrect stale value. > > Perhaps this can be fixed with a show_hook? Otherwise it's probably > best not to document a GUC that can show an incorrect value. Or we can correct the description of is_superuser, for example, "True if the current role had superuser privileges when it connected to the database. Note that this parameter doesn't always indicate the current superuser status of the role."? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION
On Wed, Jun 7, 2023 at 11:36 AM Fujii Masao <masao.fujii@oss.nttdata.com> wrote:
>
>
>
> On 2023/06/07 23:15, Joseph Koshakow wrote:
> > I think I may have discovered a reason why is_superuser is
> > intentionally undocumented. is_superuser is not updated if a role's
> > superuser attribute is changed by another session. Therefore,
> > is_superuser may show you an incorrect stale value.
> >
> > Perhaps this can be fixed with a show_hook? Otherwise it's probably
> > best not to document a GUC that can show an incorrect value.
>
> Or we can correct the description of is_superuser, for example,
> "True if the current role had superuser privileges when it connected to
> the database. Note that this parameter doesn't always indicate
> the current superuser status of the role."?
That description isn't exactly accurate either, since is_superuser is
re-evaluated whenever the role GUC is changed (i.e. through SET ROLE
or RESET ROLE), and potentially at other times I'm not aware of. I'm
curious to hear what others think though, since it seems like a bit of
a footgun. It will be up to the user to understand when `is_superuser`
is accurate or inaccurate. In most cases it will be impossible for
them to know unless they get the same information elsewhere, like
through pg_roles.
As an aside I think there's a similar issue with the
AuthenticatedUserIsSuperuser static variable. That variable is
initialized in miscinit.c in the InitializeSessionUserId function
based on whether the session role is a superuser when connecting. Then
as far as I can tell the variable is never updated.
When executing a SET SESSION AUTHORIZATION command, we check if
AuthenticatedUserIsSuperuser is true to determine if the session is
allowed to execute the command. That check happens in miscinit.c in the
SetSessionAuthorization function.
This means that if some role, r, connects as a superuser and then later
some other role removes r's superuser attribute, r can always set their
session authorization to a different role with the superuser attribute
to regain superuser privileges. So as long as r maintains an active
connection, they can never truly lose their superuser privileges.
- Joe Koshakow