> On May 1, 2021, at 7:07 AM, Chapman Flack <c...@anastigmatix.net> wrote:
> On 04/30/21 22:00, Mark Dilger wrote:
>> Viewing all of this in terms of which controls allow the tenant to escape
>> a hypothetical sandbox seems like the wrong approach. Shouldn't we let
>> service providers decide which controls would allow the tenant to escape
>> the specific sandbox the provider has designed?
> I agree that sounds more like the right approach. It seems to me that
> in the general case, a provider might conclude that setting foo is
> safe in the provider-designed sandbox /if the value being assigned
> to it satisfies some provider-determined conditions/.
> So it seems the machinery is already in place with which a provider
> could allow a chosen set of SUSET-only GUCs to be set, to values that
> satisfy provider-determined conditions, by users in a provider-chosen
> role.
> Some pretty syntax like GRANT SETTING foo TO ROLE bar WHERE cond;
> would simply be sugar on top.
I agree with everything you say here. I have some thoughts about usability....
I'd like the experience for the tenant to be as similar as possible to having
superuser privileges on their own cluster. The tenant may be migrating an
application from a database that they currently manage themselves, and any need
to use different syntax from what they have been using is an extra hurdle that
could derail the migration.
Extra syntax for use by the service provider seems much easier to justify.
If the service provider can install extra role-aware check_hooks for gucs, and
if the include directive for postgresql.conf can specify a role under which a
postgresql.conf.tenant file is processed, then the tenant can port their
application and their config file and the only things that should break are
those things the provider has intentionally prohibited.
Does this sound like a reasonable approach?
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company