Skip site navigation (1) Skip section navigation (2)

Re: Aclitem "high level description"

From: Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>,Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>,Neil Conway <neilc(at)samurai(dot)com>,PostgreSQL Developers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Aclitem "high level description"
Date: 2004-05-08 10:07:31
Message-ID: Pine.GSO.4.58.0405081146580.20991@chailly99 (view raw, whole thread or download thread mbox)
Lists: pgsql-committerspgsql-hackers
Dear Peter,

> The functionality of the ACL system is to answer questions like "does
> user X have privilege Y on object Z".

ONE OF the functionality, and THE functionality from the backend point
of view.

As I'm developing slowly a "pg_advisor" schema to check for various
consistency issues. For instance, "does all foreign key checks have
relevant indexes", things like that. I'm also considering writing views to
check for inconsistencies in the granted rights.

> It seems that this question can be answered using existing facilities.

Sure. But this is a functional interface for answering *one* specific
question, what is fine from the backend standpoint. The functions
hide queries to the raw data.

I'm rather trying to find *all* possible answers to some questions, so
typically this would be done with one single large query. For instance,
"is there a granted right in the system where the grantor does not have
the relevant grant options right?". The has_* interface does not allow
to answer to this question, I need to go back to the raw data.

As I already said, querying an array of opaque type is difficult.

> Additionally we have information schema views that list existing
> privileges, and those views are defined using existing facilities.  It
> appears that your tables mostly duplicate that.

Well, that is indeed possible to a partial extent.

On one of the first discussion about the advisor stuff, it appeared that
it was more interesting to rely on pg_catalog than on information_schema,
so I'm looking only at pg_catalog at the time.

One argument was that specific informations are only available in
pg_catalog. For instance, I need to check for acl about groups, but group
is pg-specific and does not appear in information_schema.

I hope that my intent is clearer, have a nice day,

Fabien Coelho - coelho(at)cri(dot)ensmp(dot)fr

In response to

pgsql-hackers by date

Next:From: Christopher Kings-LynneDate: 2004-05-08 12:01:33
Subject: Re: Constraint not shown on \d ?
Previous:From: Fabien COELHODate: 2004-05-08 09:46:11
Subject: fix schema ownership on first connection preliminary patch

pgsql-committers by date

Next:From: Tom LaneDate: 2004-05-08 19:09:25
Subject: pgsql-server/ ontrib/pgstattuple/pgstattuple.c ...
Previous:From: Bruce MomjianDate: 2004-05-08 02:13:31
Subject: pgsql-server/doc/src/sgml sources.sgml

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group