Re: Column-Level Privileges

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> Attached is an updated patch for column-level privileges.

Applied with revisions. The main externally visible change is that I
implemented per-column REFERENCES privilege, since that's required by
spec. I did some heavy revision of the parsing support too, as per
previous dicussions, and editorial cleanup and bugfixing elsewhere.

There are still some significant loose ends though:

* Some of the information_schema views are specified to respond to
per-column privileges; the column_privileges and columns views
certainly need work now to meet spec, and there might be others.

* It might be appropriate to let the pg_stats view expose stats for
columns you have select privilege for, even if you haven't got it
across the whole table.

* We probably ought to invent has_column_privilege SQL functions
analogous to has_table_privilege; this is not just for completeness,
but is probably necessary to finish the above items.

* ISTM that COPY with a column list should succeed if you have
SELECT or INSERT privilege on just the mentioned columns.

* Perhaps it would be appropriate to let LOCK TABLE succeed if you have
proper permissions on at least one column of the table. However, it's
bad enough that LOCK TABLE examines permissions before locking the table
now; I don't think it ought to be grovelling through the columns without
lock. So this might be a place to leave well enough alone.

regards, tom lane