2011/11/26 Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>:
> Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>> We still don't have clear direction of the way to implement external permission
>> checks on object creation time. So, please consider these patches are on the
>> proof-of-concept stage; using prep-creation-hook to permission checks.
> I wonder if you could implement that as an extension given the command
> trigger patch finds its way in. What do you think?
Unfortunately, it does not solve my point.
My proposition allows an extension to deliver an opaque value being set up
at the prep-creation hook into post-creation hook. It shall be used to deliver
a security label to be assigned on the new object, however, it is unavailable
to assign on prep-creation phase, because its object-id is not fixed yet.
(It is not an option to ask operating system a default security label of the
new object twice, because security policy may be reloaded between prep-
It is also reason why I mentioned about an idea that put prep-creation hook
on a limited number of object classes only. It requires us code modification
to maintain an opaque private between prep- and post- hooks.
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
In response to
pgsql-hackers by date
|Next:||From: David E. Wheeler||Date: 2011-11-27 20:12:41|
|Subject: Re: Patch: Perl xsubpp|
|Previous:||From: Kevin Grittner||Date: 2011-11-27 19:18:31|
|Subject: Re: Feature proposal: www_fdw|