On 04/30/21 22:00, Mark Dilger wrote: > Viewing all of this in terms of which controls allow the tenant to escape > a hypothetical sandbox seems like the wrong approach. Shouldn't we let > service providers decide which controls would allow the tenant to escape > the specific sandbox the provider has designed?
I agree that sounds more like the right approach. It seems to me that in the general case, a provider might conclude that setting foo is safe in the provider-designed sandbox /if the value being assigned to it satisfies some provider-determined conditions/. On 04/30/21 20:02, Chapman Flack wrote: > So that suggests to me some mechanism where a provider could grant > setting foo to role bar using validator baz(). > > Can SUSET GUCs be set from SECURITY DEFINER functions? Maybe there are > already the pieces to do that, minus some syntax sugar. The answer seems to be yes: I just created a SECURITY DEFINER function and used it to change a SUSET-only GUC setting. So it seems the machinery is already in place with which a provider could allow a chosen set of SUSET-only GUCs to be set, to values that satisfy provider-determined conditions, by users in a provider-chosen role. Some pretty syntax like GRANT SETTING foo TO ROLE bar WHERE cond; would simply be sugar on top. Regards, -Chap
