| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Petr Jelinek <pjmodos(at)pjmodos(dot)net>, Jan Urbański <wulczer(at)wulczer(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Subject: | Re: [PATCH] DefaultACLs |
| Date: | 2009-10-01 17:55:23 |
| Message-ID: | 102.1254419723@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> This doesn't actually address the entire problem. How about
> schema-level default grants which you want to override with per-role
> default grants? Or the other way around? Is it always only more
> permissive with more defaults? Even when the grantee is the same?
Well, bear in mind that we're *only* going to allow these things
per-role, so as to avoid the problem of translating ACLs to a different
grantor. So the main case that's not being solved is "I'd like to
grant privileges XYZ everywhere except in this schema". I'm willing to
write that off as not being within the scope of a simple mechanism.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stef Walter | 2009-10-01 17:56:04 | Re: Use "samehost" by default in pg_hba.conf? |
| Previous Message | Stephen Frost | 2009-10-01 17:50:57 | Re: [PATCH] DefaultACLs |