Re: GRANT ON ALL IN schema

From: Petr Jelinek <pjmodos(at)pjmodos(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Nikhil Sontakke <nikhil(dot)sontakke(at)enterprisedb(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: GRANT ON ALL IN schema
Date: 2009-08-08 02:17:01
Message-ID: 4A7CE01D.7060604@pjmodos.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

I am sorry I forgot to write my opinion on these.
> Do we want to differentiate views from tables in these commands or not ?
I'd like to have views separate but I don't feel strongly about it.
However having single statement for TABLE, VIEW and SEQUENCE is not a
good idea IMHO, it will add confusion with standard GRANT statement and
I don't think we could call it a TABLE anymore.

> Do we want GRANT ON ALL (or GRANT ON * which is mysql style, btw) in
> SQL form (not functions or client enhancements) at all ? - if we
> decide that we don't want to have this as SQL statement then I'll drop
> the effort.
Well, since I've written the patch I am for it :) Probably with that
GRANT ON * and GRANT ON schema.* as it has indeed very low probability
that something like that will be in standard with different meaning and
also it's mysql compatible (which is the only db currently having this
feature I think), even if that's very little plus. Adding the
possibility of running commands on many objects at once in psql would be
nice addition in the future, especially since we could have more wild
syntax there, but I still feel strongly about having the simplest case
handled by SQL.

> And how do we want to filter default acls ?
My opinion is that the best way to do this would be ALTER DEFAULT
PRIVILEGES GRANT ..., without any additional filters, it would just
affect the role which runs this command. I think this is best solution
because ALTER SCHEMA forces creation of many schemas that might not have
anything to do with structure of the database (if you want different
default privileges for different things). Also having default privileges
per role with filters on various things will IMHO create more confusion
than good. And finally if somebody wants to have different default
privileges for different things than he can just create child roles with
different default privileges and use SET SESSION AUTHORIZATION to switch
between them.

--
Regards
Petr Jelinek (PJMODOS)

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2009-08-08 02:31:42 Commitfest 2009-07 - 6 patches moved to "Returned with Feedback"
Previous Message Paul Matthews 2009-08-08 01:07:38 Re: Fixing geometic calculation