From: | "William ZHANG" <uniware(at)zedware(dot)org> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: GRANT/REVOKE: Allow column-level privileges |
Date: | 2006-01-26 14:25:40 |
Message-ID: | dram58$28ot$2@news.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
I think we should pay attention to the sematic of table privs and column
privs.
Here is some examples.
1. role1 GRANT table priviledge SELECT on table S to role2.
role1 REVOKE column priviledge SELECT on column S(SNO) from role2.
2. deal with circles in GRANT graph.
"kevin brintnall" <kbrint(at)rufus(dot)net> wrote
> Fellow Hackers,
>
> I've been working on this item for a little while, and I'm starting to see
> some code come together. I wanted to solicit some feedback before I got
> too far along to make sure I'm on the right track.
>
> Here's a rough overview of what I've done so far:
>
> -----------------------------------------------------------------
>
> PARSER:
>
> * modified parser to accept SQL column privs syntax
>
> * created a PrivAttr Node which holds ( priv, attr[] ) pairs. Currently,
> it's just a list of strings. For example, when you call...
>
> GRANT SELECT, UPDATE (col1, col2) ON table1, table2 to grantee;
>
> ... the parser creates a list of Nodes:
>
> ("select", NIL), ("update", ("col1", "col2"))
>
> SYSTEM CATALOG:
>
> * add "attacl aclinfo[]" column to pg_attribute table and
Form_pg_attribute.
> * add OID column to pg_attribute. This permits dependencies to be
> registered correctly in pg_shdepend.
> * populated attacl column in existing pg_attribute bootstrap with NULLs
> * allocated an unused oid for each of the pg_attribute rows that are
> bootstrapped
> * created an oid index on pg_attribute
>
> * modified ExecuteGrantStmt to handle the PrivAttr structure instead of
> the list of strings
> * modified ExecuteGrantStmt to do a nested loop over all
> (column,relation) pairs in the GRANT and find oids for all of the
> attributes.
>
> PSQL COMMAND LINE:
>
> * display column privileges with "\d+ table"
>
> STILL LEFT TO DO:
>
> * implement ExecGrant_Attribute() to modify pg_attribute
> * verify query against column privileges in addition to table privileges
> * register dependencies
> * pg_dump column privileges
>
> -----------------------------------------------------------------
>
> I'd welcome any feedback on the design changes I've made, or any other
> potential snags I should watch out for.
>
> Thanks.
>
> --
> kevin brintnall =~ <kbrint(at)rufus(dot)net>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
From | Date | Subject | |
---|---|---|---|
Next Message | Matthew T. O'Connor | 2006-01-26 14:41:08 | Re: autovacuum |
Previous Message | William ZHANG | 2006-01-26 14:15:00 | Re: debug_query_string and multiple statements |