From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
---|---|
To: | David Fetter <david(at)fetter(dot)org> |
Cc: | PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: "Freezing" per-role settings |
Date: | 2010-09-07 19:41:51 |
Message-ID: | 1283888511.18891.42.camel@jdavis-ux.asterdata.local |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, 2010-09-07 at 11:39 -0700, David Fetter wrote:
> We'd like to create a role called read_only, with eponymous
> capability.
Seems useful.
> If so, is it more
> DCL-ish, or more DDL-ish?
I don't like the idea of a security model relying on the ability (or
lack thereof) to set GUCs. Imagine the effects of adding new GUCs,
removing old ones, changing a GUC name, or tweaking the behavior
slightly. It makes more sense to tie it to the role directly, so DDL.
Also, you should put this in the context of previous discussions, which
lead to the "ON ALL TABLES IN SCHEMA" feature in 9.0. In particular,
that feature only affects existing objects, and you are trying to create
some kind of permissions mask which will affect new objects, as well.
Regards,
Jeff Davis
From | Date | Subject | |
---|---|---|---|
Next Message | marcin mank | 2010-09-07 20:06:03 | Re: Synchronization levels in SR |
Previous Message | Peter Eisentraut | 2010-09-07 18:54:47 | Re: UTF16 surrogate pairs in UTF8 encoding |