| From: | "Jean-Francois Leveque" <leveque(at)webmails(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Database Users Management and Privileges |
| Date: | 2001-07-06 17:11:13 |
| Message-ID: | 20010706161113.23869.qmail@webmails.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Gunnar Rnning wrote:
>
> * Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> |
> | Jean-Francois Leveque writes:
> |
> | > Comming from Oracle, I was disapointed that
> | > the users were not "per individual database".
> |
> | > Is there any chance that this will change in
> | > the future ?
> |
> | Most likely not. For one thing, it would be a problem to assign
owners to
> | databases.
Why can't database owners be referenced in one table
and database users (not owners) be referenced in
another table with the corresponding database
referenced ?
They're not the same kind of users, are they ?
Maybe I used Oracle too much in the past.
> Why ? Better user management and policy delegations would be
important
> postgresql to succeed in enterprise environments. Maybe one should
> start distinguishing logins from users like Sybase does. Logins are
global
> to all databases, and you can create a user for a given database and
assign
> it to a login. It would also be nice to be able to assign users to
> groups(which in turn define access rights within the database).
I created database user groups and I'm satisfied
about users assignment to groups (See CREATE GROUP
and ALTER GROUP).
Regarding Privileges, I was thinking about
the content of \z "Access permissions for database"
results. We have a lot of "=arwR" for the object
owner when we granted permissions to others. The
owner obviously has all rights on his objects and
I see no reason to revoke those rights. So, I think
they don't have to be stored in access permissions
if the PostgreSQL code can check if it's the owner
asking. We wouldn't then need the '"="' anymore for
not granting anything to PUBLIC.
We then wouldn't need to have :
"REVOKE ALL on <object> from PUBLIC;"
"GRANT ALL on <object> to <owner>;"
in pg_dump output.
I'm not able to help on this because I'm no
pgsql-hacker, but I think PostgreSQL will be
better with such alteration.
Maybe it's already on someone's list but I
couldn't find information about such work in progress.
Maybe those two changes are too much for 7.1.3,
but I think they would be good candidates for 8.0 .
Please tell me if I'm pushing too far, I'm not much
used to this list etiquette.
PostgreSQL is good, I just want it to be better.
regards,
Jean-Francois Leveque
______________________________________________________________________
Sur WebMailS.com, mon adresse de courrier lectronique gratuite.
Service multilingue, sr, et permanent. http://www.webmails.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2001-07-06 17:53:14 | Re: Problem with authentication in psql. |
| Previous Message | Richard Huxton | 2001-07-06 16:42:23 | Re: Vacuum and Transactions |