Re: [PATCH] DefaultACLs

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > This doesn't actually address the entire problem. How about
> > schema-level default grants which you want to override with per-role
> > default grants? Or the other way around? Is it always only more
> > permissive with more defaults? Even when the grantee is the same?
>
> Well, bear in mind that we're *only* going to allow these things
> per-role, so as to avoid the problem of translating ACLs to a different
> grantor. So the main case that's not being solved is "I'd like to
> grant privileges XYZ everywhere except in this schema". I'm willing to
> write that off as not being within the scope of a simple mechanism.

Erm, wait, we're going to drop the only piece of this that outside folks
have actually been asking for? Specifically, having per-schema default
ACLs? Big -1 for even bothering to add the complexity if we're not
going to address what end users are actually looking for. Perhaps I
missed where the issue with assigning the right grantor was, but that
feels very much like an implementation detail we can certainly solve and
document which way we decided to solve it (either schema owner, which
would be my preference, or object creator, which would be acceptable as
well).

That's my thoughts on it.

Thanks,

Stephen