| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | donniehan <donniehan(at)126(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #5147: DBA can not access view |
| Date: | 2009-11-02 14:56:03 |
| Message-ID: | 603c8f070911020656w67cfa44al973719aa86631b77@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
2009/11/2 donniehan <donniehan(at)126(dot)com>:
> Hi Tom,
>
> I agree with Hxli. It may be a good way to add permissions check when create
> the view.
>
> I also find 2 pieces of words in the document about the owner of the object.
>
> "By default, only the owner of an object can do anything with the object."
>
> "....as the owner has all privileges by default."
>
> In my case, as the view1 is already owned by user1, so user1 should has all
> privileges of view1, but user1 can not select from view1, I am very confused
> by these words. So it maybe necessary to check the user's permissions when
> he create the object.
Guys, this is pretty straightforward. The permissions on the view
determine who can access it. The permissions of the view owner
determine what the view can access. The way to think about this may
be that a view acts a bit like a setuid program under UNIX: a regular
user can gain superuser privileges; a superuser can give them up.
This may or may not make sense to you and it may or may not be what
you want, but it's NOT A BUG. It's done that way on purpose, it's
well-documented, and it's been that way for a long time. If you want
some explanation of WHY is that way and what it might be useful for,
start by reading the documentation and then if you have questions, ask
on the appropriate mailing list, maybe pgsql-general or pgsql-novice.
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | donniehan | 2009-11-02 15:19:35 | Re: BUG #5147: DBA can not access view |
| Previous Message | Craig Ringer | 2009-11-02 07:26:36 | Re: Postmaster hangs |