Skip site navigation (1) Skip section navigation (2)

Re: [PATCH] DefaultACLs

From: Petr Jelinek <pjmodos(at)pjmodos(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jan Urban'ski <wulczer(at)wulczer(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] DefaultACLs
Date: 2009-09-29 14:52:02
Message-ID: 4AC21F12.80100@pjmodos.net (view raw or flat)
Thread:
Lists: pgsql-hackers
Robert Haas napsal(a):
> On Mon, Sep 28, 2009 at 11:47 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>   
>> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>>     
>>>> One potential trouble spot is that presumably the built-in default
>>>> privileges (eg, PUBLIC EXECUTE for functions) would *not* cumulate
>>>> with user-specified defaults.
>>>>         
>>> Why not?
>>>       
>> How would you have a default that says "I *don't* want public execute on
>> my new functions"?
>>     
>
> Hmm...
>
> Maybe instead of having built-in default privileges, we could view
> each user as having their global default ACL pre-initialized to that
> same set of privileges (of course we needn't store it unless and until
> they modify it).  Then they could add to those or take away from them,
> plus add additional privileges at other levels.
>   

That's how it works now actually, the problem is that when you grant 
something in the chain you can't revoke it anywhere else in the chain 
when you are merging privileges as you proposed.

-- 
Regards
Petr Jelinek (PJMODOS)

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2009-09-29 15:02:29
Subject: Re: Rejecting weak passwords
Previous:From: Tom LaneDate: 2009-09-29 14:50:03
Subject: Re: Rejecting weak passwords

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group