Re: [HACKERS] Schemas: status report, call for developers

Tom Lane wrote:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > I don't have a better idea, but I am wondering how this will work. If I
> > create a schema with my name, does it get added to the front of my
> > schema schema search path automatically,
>
> Yes (unless you've futzed with the standard value of search_path).
>
> > If I want to prevent some users from creating tables in my database, do
> > I remove CREATE on the schema using REVOKE SCHEMA, then create a schema
> > for every user using the database?
>
> Well, you revoke world create access on the public schema (or maybe even
> delete the public schema, if you don't need it). I don't see why you'd
> give people their own schemas if the intent is to keep them from
> creating tables.

No, I was saying you would have to create schemas for the people who you
_want_ to be able to create tables.

With the old NOCREATE patch, you could just remove create permission
from a user. With schemas, you have to remove all permission for table
creation, then grant it to those you want by creating schemas for them.

This is similar to handling of Unix permissions. If you want to
restrict access to a file or directory, you remove public permission,
and add group permission, then add the people who you want access to
that group.

There are no _negative_ permissions, as there are no negative
permissions in the unix file system. I just wanted to be clear that
restricting access will be multi-step process.

If I remove public create access to public, can the super user or db
owner still create tables?

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026