Skip site navigation (1) Skip section navigation (2)

Re: pre-proposal: permissions made easier

From: Josh Berkus <josh(at)agliodbs(dot)com>
To: Greg Stark <gsstark(at)mit(dot)edu>
Cc: Jeff Davis <pgsql(at)j-davis(dot)com>, David Fetter <david(at)fetter(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pre-proposal: permissions made easier
Date: 2009-06-30 00:51:17
Message-ID: 4A496185.60804@agliodbs.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Greg,

> And there's "I just created a new table, I want "www" and
> "www-backend" to get their usual privileges without thinking about it.
> You want to be able to specify default grants that an object gets
> based on the schema? That seems mostly reasonable though it might be a
> good idea to have a WITH DEFAULT GRANTS or something like that on the
> CREATE statement so that the dba has to make it explicit.

Well, the idea is *user and schema*, not schema alone.  I think Jeff's 
proposal for users was user alone, unmodified by schema.  I'd prefer to 
reverse the switch (i.e. NO DEFAULT GRANTS) just because I'd like 
default grants to work with ORMs and similar.

In other words, my/stephen's proposal amounts to the idea that objects 
in a schema should, by default, be able to inherit permissions from 
their schema at creation time.

 >It does
 > seems slightly silly since surely anyone creating a new object would
 > just paste in their grants from another object or some common source
 > anyways, but I suppose that's the way with convenience features.

That works fine until you have 6 (or more) defined roles and a couple 
hundred objects, and are in a "agile" environment where the dev team is 
constantly adding objects which have the wrong permissions.  That's 
whose problem I'm trying to solve (because they're my clients).

-- 
Josh Berkus
PostgreSQL Experts Inc.
www.pgexperts.com

In response to

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2009-06-30 01:52:54
Subject: Re: Query progress indication - an implementation
Previous:From: Nathan BoleyDate: 2009-06-30 00:17:00
Subject: Re: Multi-Dimensional Histograms

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group