| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2014-10-16 19:37:09 |
| Message-ID: | 20141016193709.GK28859@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Simon Riggs (simon(at)2ndQuadrant(dot)com) wrote:
> On 16 October 2014 20:04, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> >>> GRANT CAPABILITY whatever TO somebody;
> >>
> >> So, we went back to just role attributes to avoid the keyword issue..
> >> The above would require making 'CAPABILITY' a reserved word, and there
> >> really isn't a 'good' already-reserved word we can use there that I
> >> found.
> >
> > Ah, good point. Using ALTER ROLE is better. Maybe we should do ALTER
> > ROLE .. [ ADD | DROP ] CAPABILITY x. That would still require making
> > CAPABILITY a keyword, but it could be unreserved.
>
> I thought you had it right first time. It is mighty annoying that some
> privileges are GRANTed and others ALTER ROLEd.
Yeah- but there's a material difference in the two, as I tried to
outline previously..
> How about
>
> GRANT EXECUTE [PRIVILEGES] ON CAPABILITY foo TO bar;
>
> That is similar to granting execution privs on a function. And I think
> gets round the keyword issue?
No, it doesn't.. EXECUTE isn't reserved at all.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brightwell, Adam | 2014-10-16 19:39:15 | Re: Review of GetUserId() Usage |
| Previous Message | Simon Riggs | 2014-10-16 19:35:07 | Re: Additional role attributes && superuser review |