| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCHES] Users/Groups -> Roles |
| Date: | 2005-06-29 17:40:20 |
| Message-ID: | 11646.1120066820@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not
inherited indirectly; that is it must be granted directly to you.
This seems wrong; SQL99 has under <privileges>
19) B has the WITH ADMIN OPTION on a role if a role authorization
descriptor identifies the role as granted to B WITH ADMIN OPTION
or a role authorization descriptor identifies it as granted WITH
ADMIN OPTION to another applicable role for B.
and in the Access Rules for <grant role statement>
1) Every role identified by <role granted> shall be contained
in the applicable roles for A and the corresponding role
authorization descriptors shall specify WITH ADMIN OPTION.
I can't see any support in the spec for the idea that WITH ADMIN OPTION
doesn't flow through role memberships in the same way as ordinary
membership; can you quote someplace that implies this?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2005-06-29 18:24:24 | Re: Proposal: associative arrays for plpgsql (concept) |
| Previous Message | Douglas McNaught | 2005-06-29 17:20:17 | Re: Proposal: associative arrays for plpgsql (concept) |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2005-06-29 18:36:51 | Re: [PATCHES] Users/Groups -> Roles |
| Previous Message | Stephen Frost | 2005-06-29 16:31:03 | Change Ownership Permission Checks |