On Sat, Mar 29, 2025 at 2:25 PM Andres Freund <and...@anarazel.de> wrote: > > I think I found an issue with this one - as it stands the view was viewable by > everyone. While it doesn't provide a *lot* of insight, it still seems a bit > too much for an unprivileged user to learn what part of a relation any other > user is currently reading. > > There'd be two different ways to address that: > 1) revoke view & function from public, grant to a limited role (presumably > pg_read_all_stats) > 2) copy pg_stat_activity's approach of using something like > > #define HAS_PGSTAT_PERMISSIONS(role) (has_privs_of_role(GetUserId(), > ROLE_PG_READ_ALL_STATS) || has_privs_of_role(GetUserId(), role)) > > on a per-IO basis.
Is it easier to later change it to be more restrictive or less? If it is easier to later lock it down more, then go with 2, otherwise go with 1? - Melanie
