From: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Privileges and inheritance |
Date: | 2009-10-05 09:47:54 |
Message-ID: | 1254736074.4691.132.camel@ebony.2ndQuadrant |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, 2009-10-05 at 12:30 +0300, Peter Eisentraut wrote:
> On Mon, 2009-10-05 at 09:22 +0100, Simon Riggs wrote:
> > On Sat, 2009-10-03 at 09:45 +0300, Peter Eisentraut wrote:
> >
> > > We could use a GUC variable to ease the transition, perhaps like
> > > sql_inheritance = no | yes_without_privileges | yes
> >
> > The original way of doing things was quite useful if you wanted some
> > people to be able to see history and others just see recent data. I
> > don't think many people are aware of or take advantage of that, so your
> > proposal does simplify things for many people.
>
> Wouldn't that look something like
>
> data -- empty
> data_recent INHERITS (data)
> data_old INHERITS (data)
> data_ancient INHERITS (data)
>
> GRANT ... ON data_recent TO A
> GRANT ... ON data_old TO B
>
> I guess you could also do
>
> data -- recent data
> data_old INHERITS (data)
> data_ancient INHERITS (data)
>
> GRANT ... ON data TO A
> GRANT ... ON data_old TO B
>
> And then A, who has only access to the recent data, would always have to
> use ONLY data to be able to do anything. That would be a pretty weird
> setup. The workaround is to change it to the setup above, which you can
> do with a few renames.
If you use multiple inheritance it all works as I described.
top level: data-template
main tables: data, data-recent both inherit from data-template
all partitions inherit from data
only recent partitions inherit from data-recent
grants are issued on data and data-recent
Now that I think about it more, I want the change you describe but don't
think its a system-wide setting. You may have PostgreSQL inheritance
apps next door to partitioning apps. The right place to fix this is when
we implement partitioning syntax, so we can set a flag saying "make
permissions easier for partitions".
--
Simon Riggs www.2ndQuadrant.com
From | Date | Subject | |
---|---|---|---|
Next Message | Dimitri Fontaine | 2009-10-05 10:06:22 | Re: Triggers on columns |
Previous Message | Peter Eisentraut | 2009-10-05 09:30:19 | Re: Privileges and inheritance |