| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Jaime Casanova <jcasanov(at)systemguards(dot)com(dot)ec>, Bruce Momjian <bruce(at)momjian(dot)us>, Abhijit Menon-Sen <ams(at)oryx(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Jaime Casanova <systemguards(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Extending grant insert on tables to sequences |
| Date: | 2008-09-04 00:41:41 |
| Message-ID: | 20080904004141.GN16005@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> >> updating the patch with one that only extends inserts. though, i
> >> haven't look at the col level privs patch yet.
>
> > At least initially I wasn't planning to support column-level privileges
> > for sequences, so I don't think it will affect you much. Do people
> > think it makes sense to try and support that?
>
> USAGE certainly wouldn't be column-level in any case --- it'd be a
> privilege on the sequence as such. That end of it isn't the problem;
> the problem is that column-level privileges on the table make it hard to
> decide when to grant rights on the sequence, as I pointed out last time
> round:
> http://archives.postgresql.org/pgsql-hackers/2008-07/msg00624.php
Ah, obviously I hadn't read far enough back about this patch. I agree
that sequence USAGE should be granted when insert is granted on any
column. One suggestion is that as the SQL spec indicates that a
table-level revoke implies a revoke on all columns, we could have the
revokation of the sequence permissisons done only on table-level
revokation of insert and not on any individual column-level insert, even
if that was the last column which insert rights were granted on.
I have to admit that I'm not a big fan of that though because a given
state on the table wouldn't imply a particular state for the sequence-
it would depend on how you got there. The way the code is currently
laid out for the column-level privileges, it wouldn't be that difficult
to go through all of the other columns and check if this was the last
insert being revoked, but I don't particularly like that either, and
it strikes me as 99% of the time being wasted effort. I guess if we
could check for and only go through that effort when there is a sequence
in place with implicit grants it might not be too bad.
> > As your patch appears more ready-for-commit than the column-level
> > privileges patch, I wouldn't worry about what code might have to move
> > around, that'll be for me to deal with in a re-sync with HEAD once your
> > patch is committed.
>
> I think that's backwards. The above message raises serious concerns
> about whether the USAGE-granting patch can be implemented at all in the
> presence of column-level privileges. I think the right thing is to get
> column privileges in and then see if it's possible to implement
> USAGE-granting compatibly. I don't want to commit a patch that is
> clearly going to be broken when (not if) column privileges arrive.
Now that I understand the situation better, I agree with you on this. I
hadn't realized this patch was about implicit grants on sequnces. Sorry
for the noise.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Smith | 2008-09-04 00:42:49 | Re: [patch] GUC source file and line number] |
| Previous Message | Stephen Frost | 2008-09-04 00:30:52 | Re: pg_dump roles support |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Abhijit Menon-Sen | 2008-09-04 01:31:26 | still alive? |
| Previous Message | Tom Lane | 2008-09-04 00:03:54 | Re: Extending grant insert on tables to sequences |