Lists: | pgsql-hackers |
---|
From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Column privileges for system catalogs |
Date: | 2009-01-28 10:21:20 |
Message-ID: | 498031A0.1040701@gmx.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Is it now acceptable to use column privileges for system catalogs? For
the new SQL/MED catalogs we have used the old system of revoking all
permissions and having a filtered view on top of it (tradition since
pg_shadow), but I figured we could do this properly now by just revoking
permissions on a specific column.
From: | Euler Taveira de Oliveira <euler(at)timbira(dot)com> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Column privileges for system catalogs |
Date: | 2009-01-28 14:51:38 |
Message-ID: | 498070FA.3040904@timbira.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Peter Eisentraut escreveu:
> Is it now acceptable to use column privileges for system catalogs? For
> the new SQL/MED catalogs we have used the old system of revoking all
> permissions and having a filtered view on top of it (tradition since
> pg_shadow), but I figured we could do this properly now by just revoking
> permissions on a specific column.
>
+1. What about pg_authid, pg_roles, pg_user, and pg_shadow?
--
Euler Taveira de Oliveira
http://www.timbira.com/
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Column privileges for system catalogs |
Date: | 2009-01-28 16:35:20 |
Message-ID: | 17898.1233160520@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Is it now acceptable to use column privileges for system catalogs?
Sure, to the same extent that table privileges work for them (ie,
don't expect the C code to pay any attention ;)).
> For
> the new SQL/MED catalogs we have used the old system of revoking all
> permissions and having a filtered view on top of it (tradition since
> pg_shadow), but I figured we could do this properly now by just revoking
> permissions on a specific column.
I don't have any objection to changing the catalog's own permissions
that way, but the filtered view still has a usability advantage: you
can just go "select * from ...". Is it reasonable to change the catalog
permissions and keep the view too?
regards, tom lane
From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Column privileges for system catalogs |
Date: | 2009-01-28 21:28:31 |
Message-ID: | 20090128212831.GZ8123@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> I don't have any objection to changing the catalog's own permissions
> that way, but the filtered view still has a usability advantage: you
> can just go "select * from ...". Is it reasonable to change the catalog
> permissions and keep the view too?
I've fine with that, I don't see any drawback to it, personally..
Stephen