| From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: inconsistent owners in newly created databases? |
| Date: | 2004-05-04 14:34:27 |
| Message-ID: | Pine.LNX.4.58.0405041620420.9381@sablons.cri.ensmp.fr |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Dear Tom,
> > UPDATE pg_catalog.pg_namespace
> > SET nspowner=datdba, nspacl=NULL -- NULL means default rights...
> > The later is simple and makes sense anyway for a newly created database.
>
> No, I don't think it does. The DBA presently can set up a site-wide
> policy about use of "public" by altering its permissions in template1.
> For example, he might revoke create access from most users. People will
> be surprised if that fails to carry over to created databases.
Ok, I understand that.
So that would mean switching all grantors to the owner in the aclitem
array? Maybe some function would be useful for that, so as to stick to
SQL:
UPDATE pg_namespace
SET nspowner = datdba,
nspacl = aclitems_switch_grantor(nspacl, datdba)
FROM ... WHERE ...;
but I'm not sure adding such an horrible "user" function in pg_proc would
be welcome, as aclitem accessors were removed two days ago.
The alternative is to do it in C within the backend, but I would have
liked the plain SQL better. Just a mater of taste, I guess.
Pg backend philosophy: why writing SQL if you can do it in C? ;-)
I'll have a look at it if I have time, maybe over the week-end.
Thanks for your insight.
--
Fabien Coelho.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Garamond | 2004-05-04 15:11:22 | Re: The features I'm waiting for. |
| Previous Message | Tom Lane | 2004-05-04 13:47:42 | Re: inconsistent owners in newly created databases? |