feat(postgres): inject and pin per-upstream session settings#189
Merged
Conversation
Generalize the single SET ROLE injection into a list of session variables (GUCs) the proxy SETs at session start, so an upstream can carry context like `centaur.slack_channel_id = 'C123'` for RLS. Settings are applied via set_config before the SET ROLE downgrade, and the proxy pins them: clients may not SET / RESET / set_config a pinned name afterwards. The SQL classifier now reports every GUC a statement writes (not just role), and the relay rejects writes to pinned names. This also closes a latent gap in the role pin: RESET ALL / DISCARD ALL reset the managed role and were not previously blocked. They are now rejected whenever the proxy manages a role or settings. Settings flow through both the YAML config and the control-plane sync path, with name validation (dotted GUC identifiers; role and session_authorization reserved).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generalizes the existing single
SET ROLEinjection into a list of session variables (GUCs) the proxy SETs at session start, so an upstream can carry context likecentaur.slack_channel_id = 'C123'for RLS policies to key off.Settings are applied via
set_config(bound params, no value quoting) before theSET ROLEdowngrade, and the proxy pins them: clients may notSET/RESET/set_configa pinned name afterwards. The SQL classifier now reports every GUC a statement writes (not just role), and the relay rejects writes to pinned names. This also closes a latent gap in the role pin:RESET ALL/DISCARD ALLreset the managed role and were not previously blocked; they are now rejected whenever the proxy manages a role or settings.Settings flow through both the YAML config and the control-plane sync path, with name validation (dotted GUC identifiers;
roleandsession_authorizationreserved). Values are static per-upstream.