Tom Lane wrote:
> Paul Lambert <paul(dot)lambert(at)reynolds(dot)com(dot)au> writes:
>> I would have thought giving the user all privileges on a schema would by
>> default add them to all objects within it,
> Why would you think that?
> The analogy to think about is that usage privilege on a schema is
> comparable to read access on a directory. That doesn't necessarily give
> you access to any single file in the directory --- but lack of it does
> ensure you cannot get to those files.
> regards, tom lane
Point taken and yes, I would agree that default behavior should be to
not give priviledges to anything other than the explicitly defined
object - but would it not be a good idea to provide some sort of
cascade/recurse option to granting/revoking privileges so that doing so
on a container object results in the priviledges being propogated down
the line for the cases where such is desired?
Taking your example of file permissions - although it is not default
behavior, it is possible to recursively apply a priviledge change to a
directory onto files/subdirectories within it. Certainly it can be done
on OpenVMS and Windows that I work with primarily and I'm 99% sure it
can be done on *ix systems too.
GRANT ALL ON SCHEMA <blah> TO <role> CASCADE;
NOTICE: GRANT ALL cascades to table "billings"
NOTICE: GRANT ALL cascades to table "customers"
NOTICE: GRANT ALL cascades to function "calculate_daily_balance()"
Much the same way that truncate or drop and so forth can have a cascade
option to propogate down to dependant objects.
In response to
pgsql-admin by date
|Next:||From: Alvaro Herrera||Date: 2007-12-13 13:01:15|
|Subject: Re: Schema security|
|Previous:||From: Bansal, Gaurav (Gaurav)||Date: 2007-12-13 05:53:00|
|Subject: Re: Postgres Start|