Skip site navigation (1) Skip section navigation (2)

Re: Prep object creation hooks, and related sepgsql updates

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Prep object creation hooks, and related sepgsql updates
Date: 2011-11-27 19:55:18
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers
2011/11/26 Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>:
> Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>> We still don't have clear direction of the way to implement external permission
>> checks on object creation time. So, please consider these patches are on the
>> proof-of-concept stage; using prep-creation-hook to permission checks.
> I wonder if you could implement that as an extension given the command
> trigger patch finds its way in.  What do you think?
Unfortunately, it does not solve my point.

My proposition allows an extension to deliver an opaque value being set up
at the prep-creation hook into post-creation hook. It shall be used to deliver
a security label to be assigned on the new object, however, it is unavailable
to assign on prep-creation phase, because its object-id is not fixed yet.
(It is not an option to ask operating system a default security label of the
new object twice, because security policy may be reloaded between prep-
and post-.)

It is also reason why I mentioned about an idea that put prep-creation hook
on a limited number of object classes only. It requires us code modification
to maintain an opaque private between prep- and post- hooks.

KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to


pgsql-hackers by date

Next:From: David E. WheelerDate: 2011-11-27 20:12:41
Subject: Re: Patch: Perl xsubpp
Previous:From: Kevin GrittnerDate: 2011-11-27 19:18:31
Subject: Re: Feature proposal: www_fdw

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group