Re: Extending grant insert on tables to sequences

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Jaime Casanova <jcasanov(at)systemguards(dot)com(dot)ec>, Bruce Momjian <bruce(at)momjian(dot)us>, Abhijit Menon-Sen <ams(at)oryx(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Jaime Casanova <systemguards(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Extending grant insert on tables to sequences
Date: 2008-09-04 00:41:41
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers pgsql-patches

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> >> updating the patch with one that only extends inserts. though, i
> >> haven't look at the col level privs patch yet.
> > At least initially I wasn't planning to support column-level privileges
> > for sequences, so I don't think it will affect you much. Do people
> > think it makes sense to try and support that?
> USAGE certainly wouldn't be column-level in any case --- it'd be a
> privilege on the sequence as such. That end of it isn't the problem;
> the problem is that column-level privileges on the table make it hard to
> decide when to grant rights on the sequence, as I pointed out last time
> round:

Ah, obviously I hadn't read far enough back about this patch. I agree
that sequence USAGE should be granted when insert is granted on any
column. One suggestion is that as the SQL spec indicates that a
table-level revoke implies a revoke on all columns, we could have the
revokation of the sequence permissisons done only on table-level
revokation of insert and not on any individual column-level insert, even
if that was the last column which insert rights were granted on.

I have to admit that I'm not a big fan of that though because a given
state on the table wouldn't imply a particular state for the sequence-
it would depend on how you got there. The way the code is currently
laid out for the column-level privileges, it wouldn't be that difficult
to go through all of the other columns and check if this was the last
insert being revoked, but I don't particularly like that either, and
it strikes me as 99% of the time being wasted effort. I guess if we
could check for and only go through that effort when there is a sequence
in place with implicit grants it might not be too bad.

> > As your patch appears more ready-for-commit than the column-level
> > privileges patch, I wouldn't worry about what code might have to move
> > around, that'll be for me to deal with in a re-sync with HEAD once your
> > patch is committed.
> I think that's backwards. The above message raises serious concerns
> about whether the USAGE-granting patch can be implemented at all in the
> presence of column-level privileges. I think the right thing is to get
> column privileges in and then see if it's possible to implement
> USAGE-granting compatibly. I don't want to commit a patch that is
> clearly going to be broken when (not if) column privileges arrive.

Now that I understand the situation better, I agree with you on this. I
hadn't realized this patch was about implicit grants on sequnces. Sorry
for the noise.



In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Smith 2008-09-04 00:42:49 Re: [patch] GUC source file and line number]
Previous Message Stephen Frost 2008-09-04 00:30:52 Re: pg_dump roles support

Browse pgsql-patches by date

  From Date Subject
Next Message Abhijit Menon-Sen 2008-09-04 01:31:26 still alive?
Previous Message Tom Lane 2008-09-04 00:03:54 Re: Extending grant insert on tables to sequences