Re: WIP: Column-level Privileges

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Markus Wanner <markus(at)bluegap(dot)ch>, PostgreSQL-development Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: WIP: Column-level Privileges
Date: 2008-11-02 04:13:14
Message-ID: 20081102041314.GS4452@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Markus, et al,

* Stephen Frost (sfrost(at)snowman(dot)net) wrote:
> I also wonder if you could use joins or something
> to extract information about columns you're not supposed to have access
> to, or where clauses, etc..

welp, I've done some additional testing and there's good news and bad, I
suppose. The good news is that when relations are join'd, they go
through expandRelation, which adds all the columns in that relation to
the 'required' set, so you have to have rights to all columns on a table
to join against it in the normal way.

On the other hand, you can just select out the columns you have access
to in a subquery and then join against *that* and it works. updates
with where clauses and inserts-with-selects seem to work correctly
though, which is nice. A case I just realized might be an issue is
doing a 'select 1 from x;' where you have *no* rights on x, or any
columns in it, would still get you the rowcount. That might not be too
hard to fix though, I'll look into it tomorrow sometime.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Hitoshi Harada 2008-11-02 04:19:37 Re: Windowing Function Patch Review -> Performance Comparison.
Previous Message Stephen Frost 2008-11-02 03:45:17 Re: WIP: Column-level Privileges