Lists: | pgsql-general |
---|
From: | "John D(dot) Burger" <john(at)mitre(dot)org> |
---|---|
To: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Anticipatory privileges |
Date: | 2007-02-16 23:36:08 |
Message-ID: | 5FEE4946-2676-458F-A8CA-152550367172@mitre.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
If I am reading the (7.4) docs correctly, privileges can be granted
only with respect to tables that exist at the time the GRANT command
is given - there is no
GRANT ALL ON * TO PUBLIC
or some such that would result in subsequently created tables having
public privileges.
Is this so?
Thanks.
- John D. Burger
MITRE
From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | "John D(dot) Burger" <john(at)mitre(dot)org> |
Cc: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Anticipatory privileges |
Date: | 2007-02-17 00:30:28 |
Message-ID: | 20070217003028.GD9724@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
John D. Burger wrote:
> If I am reading the (7.4) docs correctly, privileges can be granted
> only with respect to tables that exist at the time the GRANT command
> is given - there is no
>
> GRANT ALL ON * TO PUBLIC
>
> or some such that would result in subsequently created tables having
> public privileges.
>
> Is this so?
Yes.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
From: | "John D(dot) Burger" <john(at)mitre(dot)org> |
---|---|
To: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Anticipatory privileges |
Date: | 2007-02-17 16:33:56 |
Message-ID: | 773D21A2-92D0-45EC-A9AD-91FB566E6691@mitre.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
Alvaro Herrera wrote:
>> If I am reading the (7.4) docs correctly, privileges can be granted
>> only with respect to tables that exist at the time the GRANT command
>> is given
> Yes.
In fact, I have to individually grant access to each table, and any
associated sequences, yes? How dangerous is it to UPDATE pg_class
directly, perhaps copying the relacl column for a table that I've
done by hand with GRANT. I'm thinking something like this:
=> grant all on annotations to public;
=> update pg_class set relacl = (select relacl from pg_class where
relname = 'annotations')
where relnamespace = (select oid from pg_namespace where nspname =
'public');
This will "grant" access to indexes and other stuff that may be
unnecessary, but is this a sound approach? (By the way, are there in
fact any other kinds of objects that I may need to allow access to,
other than tables and sequences?)
Another solution to my access control issues is to change the owner
of the tables and sequences. Can I safely do this with an UPDATE on
pg_class?
Thanks, and sorry if these are dumb questions, but I haven't been
able to glean the answers directly from the docs.
- John Burger
MITRE
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "John D(dot) Burger" <john(at)mitre(dot)org> |
Cc: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Anticipatory privileges |
Date: | 2007-02-17 16:57:30 |
Message-ID: | 19787.1171731450@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
"John D. Burger" <john(at)mitre(dot)org> writes:
> How dangerous is it to UPDATE pg_class
> directly, perhaps copying the relacl column for a table that I've
> done by hand with GRANT.
You can do it, and it will seem to work. However, unless you also make
entries in pg_shdepend, bad things will happen if you later drop any of
the users mentioned in the ACL. Your code will also be vulnerable to
breakage in future releases if we change any of these details.
A better approach is to write a plpgsql function that assembles and
EXECUTEs the required GRANT commands.
regards, tom lane
From: | "John D(dot) Burger" <john(at)mitre(dot)org> |
---|---|
To: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Anticipatory privileges |
Date: | 2007-02-17 17:12:44 |
Message-ID: | 40BBDBBC-D79C-436A-9071-2C8B5F2B9246@mitre.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
Tom Lane wrote:
>> How dangerous is it to UPDATE pg_class
>> directly, perhaps copying the relacl column for a table that I've
>> done by hand with GRANT.
>
> You can do it, and it will seem to work. However, unless you also
> make
> entries in pg_shdepend, bad things will happen if you later drop
> any of
> the users mentioned in the ACL. Your code will also be vulnerable to
> breakage in future releases if we change any of these details.
>
> A better approach is to write a plpgsql function that assembles and
> EXECUTEs the required GRANT commands.
Okay, thanks - guess it's time to learn some real plpgsql control
structures.
- John Burger
MITRE
From: | John DeSoi <desoi(at)pgedit(dot)com> |
---|---|
To: | John D(dot) Burger <john(at)mitre(dot)org> |
Cc: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Anticipatory privileges |
Date: | 2007-02-18 13:31:08 |
Message-ID: | A98CC7B3-6865-439D-8972-59822110F26B@pgedit.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-general |
On Feb 17, 2007, at 12:12 PM, John D. Burger wrote:
>>
>> A better approach is to write a plpgsql function that assembles and
>> EXECUTEs the required GRANT commands.
>
> Okay, thanks - guess it's time to learn some real plpgsql control
> structures.
You can find some help here:
http://pgedit.com/tip/postgresql/access_control_functions
John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL