On 3/30/22 09:26, Tom Lane wrote: > After sleeping on it, I have a modest proposal for simplifying > these issues. Consider this design: > > 1. In the SET code path, we assume (without any catalog lookup) > that USERSET GUCs can be set. Only for SUSET GUCs do we perform > a permissions lookup. (ALTER SYSTEM does a lookup in both cases.) > > 2. Given this, the default ACL for any GUC can be empty, greatly > simplifying all these management issues. Superusers could do what > they want anyway, so modeling an "owner's default grant" becomes > unnecessary. > > What this loses is the ability to revoke public SET permissions > on USERSET GUCs. I claim that that is not so valuable as to > justify all the complication needed to deal with it. (If a GUC > seems to require some defenses, why is it USERSET?) Avoiding > a permissions lookup in the default SET code path seems like > a pretty important benefit, too. If we force that to happen > it's going to be a noticeable drag on functions with SET clauses. > >
The last point is telling, so +1 cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
