From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Zhaomo Yang <zmpgzm(at)gmail(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: CREATE POLICY and RETURNING |
Date: | 2015-10-06 02:15:15 |
Message-ID: | 20151006021515.GF3685@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Zhaomo,
* Zhaomo Yang (zmpgzm(at)gmail(dot)com) wrote:
> I just tried a little bit your patch for applying SELECT policies to
> DELETE/UPDATE. It is consistent with the GRANT system so it looks
> really good. I'll test it more thoroughly later.
Great! Glad to hear it.
> Also, I guess we don't need to worry about the syntax of "restrictive
> policies" you mentioned in the upthread since SELECT policies are
> essentially restrictive now.
They are when it comes to applying them on top of other policies to
match the permissions system, but what I believe we'd like is the
ability to *explicitly* make policies both restrictive and permissive.
That would allow a user to create a set of permissive SELECT policies
and than a set of restrictive SELECT policies, which might be much
simpler to manage for their particular use-case.
> Since that work has already been done,
> I'm wondering if I can take the task of allowing policies to reference
> both the 'old' and 'new' versions of the row. I understand that this
> feature won't be considered for 9.5 but I'd like to implement it and
> hopefully get it incorporated into 9.6.
I'd love to see a patch for that for 9.6. Feel free to work on it and
ping me with any questions you have. Once you have a patch, please make
sure to add it to the appropriate commitfest (via
http://commitfest.postgresql.org), so it won't be lost.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Taiki Kondo | 2015-10-06 03:17:07 | Re: [Proposal] Table partition + join pushdown |
Previous Message | Zhaomo Yang | 2015-10-06 02:09:29 | Re: CREATE POLICY and RETURNING |