> On 4 Dec 2024, at 17:13, Eric Hanson <e...@aquameta.com> wrote: > > On Mon, Dec 2, 2024 at 10:31 AM Wolfgang Walther <walt...@technowledgy.de > <mailto:walt...@technowledgy.de>> wrote: >> Eric Hanson: >> > a) Transaction ("local") Sandbox: >> > - SET LOCAL ROLE alice NO RESET; >> > - SET LOCAL ROLE alice WITHOUT RESET; [snip] >> > c) "Guarded" Transaction/Session >> > - SET [LOCAL] ROLE alice GUARDED BY reset_token; >> > - RESET ROLE WITH TOKEN reset_token;
These are preferable options for PostgREST (at least as long as JWT based impersonation is implemented in Postgres). >> > >> > Guarded sandboxes are nice because the session can also exit the sandbox >> > if it has the token. >> d) SET [LOCAL] ROLE alice WITH <password>; >> PostgREST does not know alice's password as it performs JWT based authentication. Regards — Michal
