Skip site navigation (1) Skip section navigation (2)

Re: Database Users Management and Privileges

From: "Jean-Francois Leveque" <leveque(at)webmails(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Database Users Management and Privileges
Date: 2001-07-06 17:11:13
Message-ID: 20010706161113.23869.qmail@webmails.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Gunnar Rnning	wrote:
> 
> * Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>  |
>  | Jean-Francois Leveque writes:
>  | 
>  | > Comming from Oracle, I was disapointed that
>  | > the users were not "per individual database".
>  | 
>  | > Is there any chance that this will change in
>  | > the future ?
>  | 
>  | Most likely not.  For one thing, it would be a problem to assign
owners to
>  | databases.

Why can't database owners be referenced in one table
and database users (not owners) be referenced in
another table with the corresponding database
referenced ?

They're not the same kind of users, are they ?

Maybe I used Oracle too much in the past.

>  Why ? Better user management and policy delegations would be
important
>  postgresql to succeed in enterprise environments. Maybe one should 
>  start distinguishing logins from users like Sybase does. Logins are
global
>  to all databases, and you can create a user for a given database and
assign
>  it to a login. It would also be nice to be able to assign users to 
>  groups(which in turn define access rights within the database). 

I created database user groups and I'm satisfied
about users assignment to groups (See CREATE GROUP
and ALTER GROUP).

Regarding Privileges, I was thinking about
the content of \z "Access permissions for database"
results. We have a lot of "=arwR" for the object
owner when we granted permissions to others. The
owner obviously has all rights on his objects and
I see no reason to revoke those rights. So, I think
they don't have to be stored in access permissions
if the PostgreSQL code can check if it's the owner
asking. We wouldn't then need the '"="' anymore for
not granting anything to PUBLIC.

We then wouldn't need to have :
"REVOKE ALL on <object> from PUBLIC;"
"GRANT ALL on <object> to <owner>;"
in pg_dump output.

I'm not able to help on this because I'm no
pgsql-hacker, but I think PostgreSQL will be
better with such alteration.

Maybe it's already on someone's list but I
couldn't find information about such work in progress.


Maybe those two changes are too much for 7.1.3,
but I think they would be good candidates for 8.0 .

Please tell me if I'm pushing too far, I'm not much
used to this list etiquette.

PostgreSQL is good, I just want it to be better.


regards,

Jean-Francois Leveque


______________________________________________________________________
Sur WebMailS.com, mon adresse de courrier lectronique gratuite.
Service multilingue, sr, et permanent. http://www.webmails.com/

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2001-07-06 17:53:14
Subject: Re: Problem with authentication in psql.
Previous:From: Richard HuxtonDate: 2001-07-06 16:42:23
Subject: Re: Vacuum and Transactions

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group