Re: pre-proposal: permissions made easier

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: David Fetter <david(at)fetter(dot)org>, Jeff Davis <pgsql(at)j-davis(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pre-proposal: permissions made easier
Date: 2009-06-29 16:55:26
Message-ID: 15073.1246294526@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> David Fetter wrote:
>> There have been previous discussions of prospective permissions
>> changes. Are we restarting them here?

> It's not on the TODO list. I recall it being raised from time to time
> but I certainly don't recall a consensus that it should be done, nor
> how, so if you're implying that such a thing is a settled decision I
> suspect you're not entirely correct. Of course, my memory has been known
> to have errors ...

I think there's widespread agreement that SQL permissions are a pain in
the neck to manage. We haven't got a consensus on a solution to that,
but looking at possibilities is certainly reasonable.

Jeff's idea does amount to granting prospective permissions in one
sense. If you (in the future) grant some permissions to role foo,
then role foo_ro would automatically get some of those permissions too.
I think it has to be looked at in comparison to more general
prospective-permissions schemes; it clearly doesn't do everything you
could wish for in that line, and so we have to ask whether there'd be
much use-case left for it if we do implement something more general.
It also seems to me that a lot of the potential objections are shared
with more general schemes --- in particular, "ooops, I forgot this was
in place and indirectly granted some permissions I shouldn't have"...

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Davis 2009-06-29 17:09:21 Re: pre-proposal: permissions made easier
Previous Message David Fetter 2009-06-29 16:52:00 Multi-Dimensional Histograms