Skip site navigation (1) Skip section navigation (2)

Re: Schema security

From: Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>
To: Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au>
Cc: pgsql admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Schema security
Date: 2007-12-13 13:01:15
Message-ID: 20071213130114.GB6262@alvh.no-ip.org (view raw or flat)
Thread:
Lists: pgsql-admin
Paul Lambert wrote:

> Taking your example of file permissions - although it is not default 
> behavior, it is possible to recursively apply a priviledge change to a 
> directory onto files/subdirectories within it. Certainly it can be done on 
> OpenVMS and Windows that I work with primarily and I'm 99% sure it can be 
> done on *ix systems too.
>
> I.e.
> GRANT ALL ON SCHEMA <blah> TO <role> CASCADE;
> NOTICE: GRANT ALL cascades to table "billings"
> NOTICE: GRANT ALL cascades to table "customers"
> NOTICE: GRANT ALL cascades to function "calculate_daily_balance()"
> etc...

Yes, it can be done at least with GNU chmod by using chmod -R.

The problem is that it doesn't work too well for schemas -> tables,
because the set of acceptable privileges is completely different.  So
the only case that would work is GRANT ALL.  Perhaps what could work is
to be able to specify wildcards in GRANT, for example

GRANT SELECT, INSERT ON TABLE schema.* TO <role>

The problem with this idea is what happens if you create a new table in
that schema?  Is the role given access to that table?  (The other
problem is whether this new command conforms to the SQL standard, or is
it in conflict with it.)

-- 
Alvaro Herrera                 http://www.amazon.com/gp/registry/CTMLCN8V17R4
"Estoy de acuerdo contigo en que la verdad absoluta no existe...
El problema es que la mentira sí existe y tu estás mintiendo" (G. Lama)

In response to

pgsql-admin by date

Next:From: olivier boissardDate: 2007-12-13 13:15:13
Subject: Re: improve performance in a big table
Previous:From: Paul LambertDate: 2007-12-13 05:55:53
Subject: Re: Schema security

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group