On 6/21/23 10:38, Bhasker Bathini wrote:
Thank you for the quick response.
What if i can grant all the required privileges or even making the user
a superuser, why do i need set_user ?
Does set_user is just to make sure users with direct privileges wont
accidently modify critical information/parameters unless they set the
session to elevated privileged role to perform the operation?
I am not able to find a reason why i need set_user extension?
There are two main use cases for set_user:
1/ Allow an unprivileged admin role to escalate to superuser, but (to
the extent possible) ensure every command issued is logged for audit
purposes. It can also block things like COPY PROGRAM and ALTER SYSTEM
that might allow them to do things you do not wish to allow. Once
escalated, there are ways they could bypass the controls, but the act of
bypassing itself would get logged, so if you monitor and alert you would
catch it.
2/ Allow a single unprivileged role to be used to switch to other
unprivileged roles, without having to grant all of them, and with the
ability to set a random token so that switching back (and thus to
indirectly other roles) requires the token. Think in terms of a web app
that uses a single role to log in but then switches to a actual users
role. Or a proxy or load balancer of sorts.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
