From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Jim Nasby <decibel(at)decibel(dot)org> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Default permissisons from schemas |
Date: | 2007-01-24 14:16:18 |
Message-ID: | 20070124141618.GL24675@kenobi.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Jim Nasby (decibel(at)decibel(dot)org) wrote:
> On Jan 23, 2007, at 12:07 PM, Stephen Frost wrote:
> >Hmm. While I agree with the sentiment, Unix does provide for setgid
> >such that objects inherit a specific group on creation. Using
> >roles we
> >don't get that distinction so I don't think comparing it to Unix is a
> >slam-dunk. There do need to be limitations here though, certainly. A
> >couple options, in order of my preference:
>
> Is there a use-case for per-schema default ownership? I can't really
> think of one...
Sure, all the objects in a given schema should be owned by a role which
all the admins of that schema are members of. I really see this as a
sensible step from ACLs since ownership implies additional permissions
(which can't otherwise be granted, otherwise it wouldn't matter so much).
We do this quite a bit and it's annoying when someone forgets to change
the ownership of something they created. Since we do this largely on a
per-schmea basis (and different schemas have different admin groups,
which can overlap) getting people to remember to 'set role' doesn't seem
likely to practically improve things much. I've considered writing a
cron job to periodically fix all the ownerships and permissions but then
having actual exceptions becomes a pain.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2007-01-24 14:19:19 | Re: pg_get_domaindef |
Previous Message | Gregory Stark | 2007-01-24 14:08:51 | Re: Free space management within heap page |