Skip to content

query_supervisor: add option 'limits_enabled' instead of 'limited_users' list

Marcin requested to merge mi_public_haf_user_for_mr into develop

query_supervisor: add option 'limits_enabled' instead of 'limited_users' list

The new option can be set for any role with ALTER ROLE or SET statements.
When a role got the option set to 'true' then all its queries are
limited by the supervisor.

Changes in functional test: use the new options instead of 'limted_users'
ALTER ROLE during tests must be used with ;IN DATABASE' to avoid change
global postrges state.

Unfortunately, all attempts to introduce a predefined role group with limitations on queries for its members have failed due to the following reasons:

  • Custom options such as 'query_supervisor.*' are not inherited from the group by its members
  • It is currently impossible to determine whether a user's role is a member of a group (using either textual names or OIDs postgres crashes) at the moment when the decision to enable query hooks needs to be made (in PG_Init ). This makes it impossible to enforce query restrictions based on group membership.

Added limit (1000) for number of contexts per a role

Edited by Marcin

Merge request reports

Loading