| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, Joseph Adams <joeyadams3(dot)14159(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Proposal: access control jails (and introduction as aspiring GSoC student) |
| Date: | 2010-03-23 18:58:49 |
| Message-ID: | 4567.1269370729@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Robert Haas escribi:
>> On Tue, Mar 23, 2010 at 1:28 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>>> BTW, if you wanted something less ambitious, we have a longstanding
>>> request to implement "local superuser", that is, the ability to give one
>>> role the ability to edit other roles in one database only.
>>
>> But roles aren't database-specific... they're globals.
> Well, that's another longstanding request ;-) (See the
> db_user_namespace hack)
Yeah, you'd have to fix that first. The "ambitious" part of that is
coming up with a spec that everybody will accept. Once you had that,
coding it might not be very hard ...
BTW, "local superuser" is an oxymoron. If you're superuser you'd have
no trouble whatsoever breaking into other databases. "Local CREATEROLE"
privilege could be a sane concept, though, if we had local roles.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gokulakannan Somasundaram | 2010-03-23 19:02:24 | Re: Deadlock possibility in _bt_check_unique? |
| Previous Message | Gokulakannan Somasundaram | 2010-03-23 18:56:06 | Re: Deadlock possibility in _bt_check_unique? |