On 2012-01-31 15:28, Robert Haas wrote:
*scratches head* I'm not sure I follow you. If you're saying that we can make this work by always allowing the value to be reset, then I agree with you, but I'm not sure those are the semantics KaiGai wants. For instance, if a connection pooler does: SET sepgsql.client_label = 'bob_t'; ...and then hands off to the client, the client can then do: RESET sepgsql.client_label; SET sepgsql.client_label = 'alice_t'; ....and that's bad.
Hmm yes this is a problem. Reading the original post better, it is also not the intended behaviour to support repeatable client_label switches.
"However, single-directed domain transition from bigger-privileges to smaller-privileged domain by users' operation is also supported on operating system, and useful feature to restrict applications capability at beginning of the session."
-- Yeb Havinga http://www.mgrid.net/ Mastering Medical Data -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers