Re: GRANT/roles problem: grant is shown as from login role

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: GRANT/roles problem: grant is shown as from login role
Date: 2005-09-02 15:23:43
Message-ID: 20050902152343.GV6026@ns.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> This is looking a bit messy. Maybe for GRANT/REVOKE, we have to insist
> that privileges do not inherit, you have to actually be SET ROLE'd to
> whatever role has the authority to do the grant. I haven't figured out
> how the SQL spec avoids this problem, considering that they do have the
> concept of rights inheriting for roles.

There is 'revoke update on t1 from u3 granted by u2;' syntax in the
SQL 2003 specification. It doesn't look like we support that syntax
(looking at 8.0.3 anyway)- would that solve the problem if we did?

From your example, u1 couldn't revoke it because u1 couldn't become u2,
and we don't support syntax for saying "revoke this priviledge which was
granted by someone else", but the SQL spec has that syntax and if we did
then I think we'd allow the owner to use it.

Does that help?

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2005-09-02 15:31:49 Re: Question about explain of index scan
Previous Message Tom Lane 2005-09-02 15:21:53 Re: Call for 7.5 feature completion