Re: security hooks on object creation

(2010/11/09 20:34), Itagaki Takahiro wrote:
> 2010/11/9 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> The attached patch provides plugin modules a hook just after object
>> creation time. In typical use cases, it enables to assign default
>> security labels on object creation by the external security providers.
>
> It looks like "DDL Trigger" on other database products.
> Do we need to consider both security hooks and DDL triggers now?
> Or, is it enough to design DLL triggers after the hooks are merged?
> Low-level hooks might be better for security providers because
> SQL-level triggers could be uninstall by superusers.
>
An interesting viewpoint. Does the DDL trigger allow us to do something
on CREATE/ALTER/DROP command?

One thing we need to pay attention is that CREATE command is an exception
from any other DDL commands, because the database object to be modified
does not exist before the actual works. So, I'm saying we need both of
prep/post creation hooks in the world of complete features.
Meanwhile, I don't think we need security hooks post ALTER/DROP commands.
Thus, we will put security hooks next to the existing permission checks,
not after the actual works of these commands.
Is it reasonable for DDL triggers (if it has something like BEFORE/AFTER)?

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>