| From: | jmoschet(at)netscape(dot)net |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Permissions on Stored Procedures |
| Date: | 2000-12-26 17:24:08 |
| Message-ID: | 4F84075A.3A91673C.009EFA21@netscape.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-hackers |
I've been searching the lists and found a similar question but there have no
replies.
What I would like to be able to do in Postgres is give users/groups the
ability to execute stored procedures on a per procedure basis.
I am looking into the Rules system, thinking that this is acheiveable through
the use of query rewriting, dummy tables and _insert, _delete, _update rules.
I see in the internals.ps (docs directory) file there is an example (2.5.8 /
pg 49-50) of creating a dummy table and a rule that gets executed when
someone issues a SELECT on that dummy table.
The rule defines the actual query which is executed, so the *user* is none
the wiser. That's a start.
It seems that keeping track of *dummy* tables could get hairy and somone
cleaning up could accidentally remove a dummy table and disable a whole mess
of things inadvertenty.
It would appear to be possible to set ACLs on a dummy table to only allow
certain users/groups to execute the select, insert, update or delete on the
dummy table itself. Thereby using the built-in postgres security to intervene
and before the rules are ever executed.
There is an example of the use of a rule to prevent an insert on a table that
uses a special naming convention, <tablename>_insert that automatically gets
executed when the INSERT is issued. (and similarly for the
<tablename>_select, <tablename>_update and <tablename>_delete)
(PostgreSQL: Introduction and Concepts / Momjian, pg. 149)
Now if I'm way off and these scenarios are not possible, it would be nice to
have ACL's on entries in the pg_proc table or an additional entry in pg_class
for each stored proc/function (but that seems unlikely as it seems this would
affect other parts of the postgres subsystem) and have the 'traffic-cop'
check the permissions on the functions for us.
Thanks.
John Moschetto
attendee OSDN/OSDB Summit
Oct 30-31 2000 - Hayes Mansion
San Jose, California
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at
http://webmail.netscape.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | R D | 2000-12-27 07:59:09 | Re: Is that a bug? |
| Previous Message | Tom Lane | 2000-12-25 17:47:11 | Re: [BUGS] postgres bombs for continous selects.... |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Lockhart | 2000-12-26 18:08:47 | Re: Re: GNU readline and BSD license |
| Previous Message | Tom Lane | 2000-12-26 16:26:14 | Tuple-valued datums on Alpha (was Re: 7.1 on DEC/Alpha) |