| From: | Chris Farmiloe <chrisfarms(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | ASYNC Privileges proposal |
| Date: | 2013-05-20 01:44:58 |
| Message-ID: | CAJNjj-uBZ1xuz8RHO-6_vJ8hmtGas6nKHDK5U3Cacxi3m1rYCg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hey all,
I find the current LISTEN / NOTIFY rather limited in the context of
databases with multiple roles. As it stands it is not possible to restrict
the use of LISTEN or NOTIFY to specific roles, and therefore notifications
(and their payloads) cannot really be trusted as coming from any particular
source.
If the payloads of notifications could be trusted, then applications could
make better use of them, without fear of leaking any sensitive information
to anyone who shouldn't be able to see it.
I'd like to propose a new ASYNC database privilege that would control
whether a role can use LISTEN, NOTIFY and UNLISTEN statements and the
associated pg_notify function.
ie:
GRANT ASYNC ON DATABASE xxxx TO bob;
REVOKE ASYNC ON DATABASE xxxx FROM bob;
SECURITY DEFINER functions could then be used anywhere that a finer grained
access control was required.
I had a quick play to see what might be involved [attached], and would like
to hear people thoughts; good idea, bad idea, not like that! etc
Chris.
| Attachment | Content-Type | Size |
|---|---|---|
| async_privileges_r0.patch | application/octet-stream | 7.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Farmiloe | 2013-05-20 01:54:25 | ASYNC Privileges proposal |
| Previous Message | Nelson Minar | 2013-05-19 23:07:18 | Re: BUG #8167: false EINVAL -22 for opening a file |