On Thu, Nov 4, 2021 at 12:03 PM Jeff Davis <pg...@j-davis.com> wrote: > The approach of using a function's ACL to represent the ACL of a > higher-level command (as in this patch) does feel right to me. It feels > like something we might extend to similar situations in the future; and > even if we don't, it seems like a clean solution in isolation.
It feels wrong to me. I realize that it's convenient to be able to re-use the existing GRANT and REVOKE commands that we have for functions, but actually DDL interfaces are better than SQL functions, because the syntax can be richer and you can avoid things like needing to take a snapshot. This particular patch dodges that problem, which is both a good thing and also clever, but it doesn't really make me feel any better about the concept in general. I think that the ongoing pressure to reduce as many things as possible to function permissions checks is ultimately going to turn out to be an unpleasant dead end. But by the time we reach that dead end we'll have put so much effort into making it work that it will be hard to change course, for backward-compatibility reasons among others. I don't have anything specific to propose, which I realize is kind of unhelpful ... but I don't like this, either. -- Robert Haas EDB: http://www.enterprisedb.com
