From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: type privileges and default privileges |
Date: | 2011-11-11 13:40:10 |
Message-ID: | CA+TgmoaVPi6+0PEz9qOF1Z0OQUzWC+QVy47mK6cQ-0s6SR128A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Nov 10, 2011 at 11:17 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> On Thu, Nov 10, 2011 at 10:52 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > Certainly a big one that people get caught by is our default of execute
>> > to public on functions.. Most of our privileges are set up as minimal
>> > access to others, functions are an oddity in that regard. Rather than
>> > fight the battle of what the default *should* be for functions, we could
>> > just give the DBA the ability to configure it for their database.
>>
>> Sure, let's do. But that hardly means that we need to store useless
>> catalog records in every database with the DBA doesn't do that.
>
> Fair enough, so the direction would be to add 'IN DATABASE' options to
> 'ALTER DEFAULT PRIVILEGES' and have all the same options there, plus
> flags for schema (and any other schema-level/entire-database things)
> options? I presume that the 'IN SCHEMA' / 'FOR USER' options would be
> used, where those exist, and we'd only fall back to the higher ones if
> those don't exist?
Oh, I didn't realize that you were proposing a database-wide setting;
my point was just that the way the feature looks to the user doesn't
have to dictate the catalog representation.
I'm not entirely certain whether a database-wide setting is useful
enough to justify the additional complexity. I'm not saying it isn't,
just wondering out loud. To need this rather than just a per-schema
facility, you'd need to be using enough schemas (or creating new ones
frequently enough) that setting the privileges one schema at a time
would be inconvenient. How common is that?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2011-11-11 14:07:33 | why do we need two snapshots per query? |
Previous Message | Boszormenyi Zoltan | 2011-11-11 13:36:39 | SQLDA fix for ECPG |