| From: | Rural Hunter <ruralhunter(at)gmail(dot)com> |
|---|---|
| To: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Why sequence grant is separated from table? |
| Date: | 2013-06-20 01:38:19 |
| Message-ID: | 51C25D0B.60002@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Yes, that's also an acceptable
solution.<br>
<br>
于 2013/6/20 3:48, Craig James 写道:<br>
</div>
<blockquote
cite="mid:CAFwQ8rcwDqPArROq30MOXtN1c7yZn3ODy2fy8W6mcvZSEZeVhg(at)mail(dot)gmail(dot)com"
type="cite"><br>
<br>
<div class="gmail_quote">On Wed, Jun 19, 2013 at 2:35 AM, Rural
Hunter <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ruralhunter(at)gmail(dot)com" target="_blank">ruralhunter(at)gmail(dot)com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I really hate the error "permission denied for sequence xxxxx"
when I grant on a table but forget to grant additionally on
the related sequence to users. Can the permission of table and
related sequences be merged?<span class="HOEnZb"><font
color="#888888"><br>
</font></span></blockquote>
<div><br>
You asked this question back in March; here's what I suggested
at the time:<br>
<pre style="margin-left:40px">On Thu, Mar 28, 2013 at 10:56 PM, Rural Hunter <<a moz-do-not-send="true" href="mailto:ruralhunter(at)gmail(dot)com">ruralhunter(at)gmail(dot)com</a>>wrote:
> Hi,
>
> I encounter the same issue often: Granted update/insert to an user but
> forgot to grant it on the related sequence. It's hard to understand that an
> user has write access on table but not on necessary sequences. I think the
> grant on tables should cascade to related sequences. What do you think?
>
Wouldn't it make more sense for the grant on the table to fail with an
appropriate error message? That would solve your problem, and it wouldn't
be making security assumptions. Cascading permissions seems like a recipe
for trouble.
Craig
</pre>
I suggest is that having the "grant ... on tablename" fail
would serve your purpose. What you want is for it to let you
know you've made a security change that is bound to fail. I
think it would actually be better to have the GRANT fail since
it would notify you that the script or procedure you are using
is incorrect.<br>
<br>
Craig<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Sent via pgsql-admin mailing list (<a
moz-do-not-send="true"
href="mailto:pgsql-admin(at)postgresql(dot)org" target="_blank">pgsql-admin(at)postgresql(dot)org</a>)<br>
To make changes to your subscription:<br>
<a moz-do-not-send="true"
href="http://www.postgresql.org/mailpref/pgsql-admin"
target="_blank">http://www.postgresql.org/mailpref/pgsql-admin</a><br>
</font></span></blockquote>
</div>
<br>
</blockquote>
<br>
</body>
</html>
| Attachment | Content-Type | Size |
|---|---|---|
| unknown_filename | text/html | 3.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Technical Doubts | 2013-06-20 07:42:37 | Composite Unique Key - Doubt |
| Previous Message | Sean Dillon | 2013-06-19 23:22:59 | excessive WAL activity |