| From: | Bernd Helmle <mailings(at)oopsware(dot)de> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Cc: | Petr Jelinek <pjmodos(at)pjmodos(dot)net> |
| Subject: | Re: GRANT ON ALL IN schema |
| Date: | 2009-06-18 09:26:02 |
| Message-ID: | 968B9B6C6E5C937958E5456C@teje |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
--On Mittwoch, Juni 17, 2009 16:44:53 +0300 Peter Eisentraut
<peter_e(at)gmx(dot)net> wrote:
> I think you should design this with a bit wider scope. Instead of just
> "all tables in this schema", think "all tables satisfying some
> condition". It has been requested, for example, to be able to grant on
> all tables that match a pattern.
>
My experience shows that having such a thing is often leading to "bad
practices". People tend to grant everything to every login role instead of
using an intelligent role privilege mechanism.
MySQL for example has such wildcards (using '_' and '%' wildcard patterns),
which often confuses people when having such characters in their
table/database names (of course, i forgot to escape them more than once).
The unpredictable results of messing up a complete schema when using a
broken pattern expression is going to reduce the usefulness of such a
feature, i think.
>> Also since this patch introduces VIEWS as object with grantable
>> privileges, I added GRANT ON VIEW foo syntax which is more or less
>> synonymous to GRANT ON TABLE foo syntax. It felt weird to have GRANT ON
>> ALL VIEWS but not GRANT ON VIEW.
>
> As far as GRANT is concerned, a view is a table, so I would omit the
> VIEW/VIEWS stuff completely.
We have ALTER VIEW now, so why don't implement the same synonym for GRANT?
--
Thanks
Bernd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2009-06-18 10:11:31 | Re: typos in source comment |
| Previous Message | Fujii Masao | 2009-06-18 09:01:37 | typos in source comment |