From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [PATCHES] Users/Groups -> Roles |
Date: | 2005-06-29 18:36:51 |
Message-ID: | 20050629183651.GY24207@ns.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not
> inherited indirectly; that is it must be granted directly to you.
> This seems wrong; SQL99 has under <privileges>
>
> 19) B has the WITH ADMIN OPTION on a role if a role authorization
> descriptor identifies the role as granted to B WITH ADMIN OPTION
> or a role authorization descriptor identifies it as granted WITH
> ADMIN OPTION to another applicable role for B.
>
> and in the Access Rules for <grant role statement>
>
> 1) Every role identified by <role granted> shall be contained
> in the applicable roles for A and the corresponding role
> authorization descriptors shall specify WITH ADMIN OPTION.
>
> I can't see any support in the spec for the idea that WITH ADMIN OPTION
> doesn't flow through role memberships in the same way as ordinary
> membership; can you quote someplace that implies this?
Hrm, no, sorry, I just interpreted the 'Access Rules' line for <grant
role statement> differently. That is to say:
1) Every role identified by <role granted> shall be contained
(Alright, all the roles which you're granting, right)
in the applicable roles for A and the corresponding role
(A must be in all the roles which are being granted)
authorization descriptors shall specify WITH ADMIN OPTION.
(the grants to A for those rules specify ADMIN OPTION)
This came across to me as meaning "there must exist an authorization
descriptor such that the granted-role equals <role granted>, the grantee
is A and WITH ADMIN OPTION is set". That could only be true if the
grant was done explicitly. Reading from 19 above (which I don't recall
seeing before, or at least not reading very carefully) I think you're
right. Either way is fine with me.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2005-06-29 18:37:15 | Checkpoint cost, looks like it is WAL/CRC |
Previous Message | Pavel Stehule | 2005-06-29 18:36:37 | Re: Proposal: associative arrays for plpgsql (concept) |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2005-06-29 19:43:54 | Re: Open items |
Previous Message | Tom Lane | 2005-06-29 17:40:20 | Re: [PATCHES] Users/Groups -> Roles |