| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: type privileges and default privileges |
| Date: | 2011-11-11 04:17:39 |
| Message-ID: | 20111111041738.GL24234@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Thu, Nov 10, 2011 at 10:52 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > Certainly a big one that people get caught by is our default of execute
> > to public on functions.. Most of our privileges are set up as minimal
> > access to others, functions are an oddity in that regard. Rather than
> > fight the battle of what the default *should* be for functions, we could
> > just give the DBA the ability to configure it for their database.
>
> Sure, let's do. But that hardly means that we need to store useless
> catalog records in every database with the DBA doesn't do that.
Fair enough, so the direction would be to add 'IN DATABASE' options to
'ALTER DEFAULT PRIVILEGES' and have all the same options there, plus
flags for schema (and any other schema-level/entire-database things)
options? I presume that the 'IN SCHEMA' / 'FOR USER' options would be
used, where those exist, and we'd only fall back to the higher ones if
those don't exist?
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David E. Wheeler | 2011-11-11 05:36:21 | Multiple Extensions |
| Previous Message | Robert Haas | 2011-11-11 04:02:33 | Re: type privileges and default privileges |