On Fri, 30 Apr 2021 at 22:00, Mark Dilger <mark.dil...@enterprisedb.com> wrote:
> Viewing all of this in terms of which controls allow the tenant to escape > a hypothetical sandbox seems like the wrong approach. Shouldn't we let > service providers decide which controls would allow the tenant to escape > the specific sandbox the provider has designed? > I’m not even sure I should be mentioning this possibility, but what if we made each GUC parameter a grantable privilege? I’m honestly not sure if this is insane or not. I mean numerically it’s a lot of privileges, but conceptually it’s relatively simple. What I like the least about it is actually the idea of giving up entirely on the notion of grouping privileges into reasonable packages: some of these privileges would be quite safe to grant in many or even most circumstances, while others would usually not be reasonable to grant.
