From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
---|---|
To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Cc: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [sepgsql 3/3] Add db_procedure:execute permission checks |
Date: | 2013-04-11 16:10:35 |
Message-ID: | CADyhKSXMTqndbcEuSXspyJdirFL36DHYGaBowUfcrPRMgVJj8Q@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2013/4/11 Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>:
> Kohei KaiGai wrote:
>> This patch adds sepgsql support for permission checks almost
>> equivalent to the existing FUNCTION EXECUTE privilege.
>
> While skimming this patch I noticed that you're using
> getObjectDescription() as the "audit_name" of objects. This may be a
> bit unstable, for example consider that it's translated if lc_messages
> is set to something other than english. I would suggest that the object
> identity as introduced by commit f8348ea32ec8 is a better choice for
> this.
>
Thanks for your suggestion.
I tried to replace getObjectDescription() by getObjectIdentity() almost
mechanically, even though I had to put special handling around
OAT_POST_CREATE hook, as existing code doing, because
SnapshotNow cannot reference the new object just after creation.
Even though it massively affects regression test results, my preference
is the format using getObjectIdentity(), because audit log is not assumed
being read by human eyes usually. Thus, newer one is kindness style
for script developers to put just an identifier of object into "name" field
of audit log, without anything else.
Best regards,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Attachment | Content-Type | Size |
---|---|---|
sepgsql-v9.3-replace-get-object-description.v1.patch | application/octet-stream | 125.5 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2013-04-11 16:22:49 | Re: Nearing beta? |
Previous Message | Ants Aasma | 2013-04-11 16:06:41 | Re: Nearing beta? |