Re: [PATCH] DefaultACLs

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> I haven't read the patch, but it seems like one possible solution to
> this problem would be to declare that any any DEFAULT PRIVILEGES you
> set are cumulative. If you configure a global default, a per-schema
> default, a default for tables whose names begin with the letter q, and
> a default for tables created between midnight and 4am, then a table
> called quux created in that schema at 2:30 in the morning will get the
> union of all four sets of privileges.

Hmm ... interesting proposal. Simple to understand and simple to
implement, which are both to the good. I'm not clear though on whether
this behavior would be useful in practice. Any comments from those
who've been asking for default ACLs?

One potential trouble spot is that presumably the built-in default
privileges (eg, PUBLIC EXECUTE for functions) would *not* cumulate
with user-specified defaults. So you'd have a behavior where a
function would not get PUBLIC EXECUTE automatically if it matched
any of the available defaults, but would get it if it managed to
miss matching them all. I am not sure if that's bad or not, but
it seems kind of inconsistent.

regards, tom lane