Skip site navigation (1) Skip section navigation (2)

Re: Schema security

From: Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au>
To: pgsql admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Schema security
Date: 2007-12-13 05:55:53
Message-ID: 4760C969.1060801@reynolds.com.au (view raw or flat)
Thread:
Lists: pgsql-admin
Tom Lane wrote:
> Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au> writes:
>> I would have thought giving the user all privileges on a schema would by 
>> default add them to all objects within it,
> 
> Why would you think that?
> 
> The analogy to think about is that usage privilege on a schema is
> comparable to read access on a directory.  That doesn't necessarily give
> you access to any single file in the directory --- but lack of it does
> ensure you cannot get to those files.
> 
> 			regards, tom lane
> 
> 

Point taken and yes, I would agree that default behavior should be to 
not give priviledges to anything other than the explicitly defined 
object - but would it not be a good idea to provide some sort of 
cascade/recurse option to granting/revoking privileges so that doing so 
on a container object results in the priviledges being propogated down 
the line for the cases where such is desired?

Taking your example of file permissions - although it is not default 
behavior, it is possible to recursively apply a priviledge change to a 
directory onto files/subdirectories within it. Certainly it can be done 
on OpenVMS and Windows that I work with primarily and I'm 99% sure it 
can be done on *ix systems too.

I.e.
GRANT ALL ON SCHEMA <blah> TO <role> CASCADE;
NOTICE: GRANT ALL cascades to table "billings"
NOTICE: GRANT ALL cascades to table "customers"
NOTICE: GRANT ALL cascades to function "calculate_daily_balance()"
etc...

Much the same way that truncate or drop and so forth can have a cascade 
option to propogate down to dependant objects.

-- 
Paul Lambert
Database Administrator
AutoLedgers

In response to

Responses

pgsql-admin by date

Next:From: Alvaro HerreraDate: 2007-12-13 13:01:15
Subject: Re: Schema security
Previous:From: Bansal, Gaurav (Gaurav)Date: 2007-12-13 05:53:00
Subject: Re: Postgres Start

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group