Re: select any table

From: Sam Mason <sam(at)samason(dot)me(dot)uk>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: select any table
Date: 2008-03-26 12:14:15
Message-ID: 20080326121415.GM6870@frubble.xen.chris-lamb.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, Mar 25, 2008 at 05:37:00PM -0400, Malinka Rellikwodahs wrote:
> On Tue, Mar 25, 2008 at 2:54 PM, Joshua D. Drake wrote:
> > On Tue, 25 Mar 2008 13:37:37 -0500 Jon Roberts wrote:
> > > It would be a nice enhancement to have a "select any table" privilege
> > > or at least "grant insert/update/delete/select on <schema_name>".
> >
> > Certainly, but it is also a foot gun.
>
> I'm just curious how would having the ability to grant privileges to a
> schema be a foot gun?

In ACL (Access Control List) systems this sort of "privilege" isn't very
natural. The closest thing I can imagine is by having a "default" set
of permissions that the user has control over, rather than currently
where the set of default permissions is fixed by PG to only include
unrestricted access by the owner. Another solution, and probably the
footgun that Joshua was referring to, would be to have some code that
is automatically run when a new object is created that grants read-only
access. I don't think PG provides a way to do this at the moment
though.

Other security models allow this case to be more directly expressed.
My current favourite is capability based security, it allows you to
directly say that "auditors" have transitively read-only access to
specific things (i.e. the entire database).

Sam

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Raymond O'Donnell 2008-03-26 12:19:44 Re: pgplsql, how to save row variable to a table row
Previous Message josep porres 2008-03-26 12:14:07 Re: pgplsql, how to save row variable to a table row