Re: Default permissisons from schemas

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Merlin Moncure <mmoncure(at)gmail(dot)com>
Cc: Jim Nasby <decibel(at)decibel(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Default permissisons from schemas
Date: 2007-01-24 19:11:43
Message-ID: 20070124191143.GO24675@kenobi.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Merlin Moncure (mmoncure(at)gmail(dot)com) wrote:
> On 1/24/07, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> >err, what proposal wasn't touching the GRANT syntax at all but rather
>
> right, but the original proposal did:
> # %Allow GRANT/REVOKE permissions to be applied to all schema objects
> with one command
>
> which was more or less (with the NEW TABLES flavor of the command)
> duplicated by:
>
> # Allow GRANT/REVOKE permissions to be inherited by objects based on
> schema permissions

These are pretty different things actually, imv.. I don't think it
makes sense to use GRANT on something which is clearly a schema
property. Would you still track the information in pg_namespace?
Nothing else makes sense to me and if it's there I think it's perfectly
reasonable to modify a schema property using ALTER SCHEMA. Hacking up
GRANT to do it sounds very, very ugly and not intuitive...

> and your proposal would make alter schema (and presumably create
> schema) the only command(s) that deal with privileges excluding

The proposal didn't involve CREATE SCHEMA. I don't really have a strong
opinion on that but I'm at least disinclined towards it as being
unnecessary.

> grant/revoke. That, IMO is actually a bad thing...a surprising
> behavior. I think the 'new tables' form is better but has the same
> problems as your proposal in that it does not disambiguate sequences
> from tables, etc. It would however solve (I think!) your problem
> without resorting to ownership delegation.

It doesn't seem unsuprising at all to me, especially with appropriate
documentation... Having the syntax in GRANT or in ALTER SCHEMA would
work for me for the ACLs. I don't see how that distincation does
anything to solve the concerns or provide a solution for ownership
delegation. Especially considering you can't change ownership with
GRANT today...

> >I don't think it makes sense to have this syntax be part of the GRANT
> syntax since it's really about a schema..
>
> So, basically I disagree with the above, and agree with the others wrt
> ownership change, but very much agree if it is pratical that having
> some mechanism of applying permissions to objects when they are
> created depending on which schema they are in is a good thing.

Ok. The issue that I have is that some permissions are exclusivly
available only to the owner of an object, and it's not possible to grant
them. I feel that it should be possible to have those permissions
applied to objects when they are created as well...

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message David Fetter 2007-01-24 19:20:46 Re: Access last inserted tuple info...
Previous Message Andrew Dunstan 2007-01-24 19:03:46 Re: Recursive Queries