Skip site navigation (1) Skip section navigation (2)

Re: Prep object creation hooks, and related sepgsql updates

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Prep object creation hooks, and related sepgsql updates
Date: 2011-11-27 19:55:18
Message-ID: CADyhKSXH_sdn11vh8vaz4f1s91b+QTM3ZPDZieHLZuUnmHTiXg@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
2011/11/26 Dimitri Fontaine <dimitri(at)2ndquadrant(dot)fr>:
> Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>> We still don't have clear direction of the way to implement external permission
>> checks on object creation time. So, please consider these patches are on the
>> proof-of-concept stage; using prep-creation-hook to permission checks.
>
> I wonder if you could implement that as an extension given the command
> trigger patch finds its way in.  What do you think?
>
Unfortunately, it does not solve my point.

My proposition allows an extension to deliver an opaque value being set up
at the prep-creation hook into post-creation hook. It shall be used to deliver
a security label to be assigned on the new object, however, it is unavailable
to assign on prep-creation phase, because its object-id is not fixed yet.
(It is not an option to ask operating system a default security label of the
new object twice, because security policy may be reloaded between prep-
and post-.)

It is also reason why I mentioned about an idea that put prep-creation hook
on a limited number of object classes only. It requires us code modification
to maintain an opaque private between prep- and post- hooks.

Thanks,
-- 
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

Responses

pgsql-hackers by date

Next:From: David E. WheelerDate: 2011-11-27 20:12:41
Subject: Re: Patch: Perl xsubpp
Previous:From: Kevin GrittnerDate: 2011-11-27 19:18:31
Subject: Re: Feature proposal: www_fdw

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group