From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | PostgreSQL Developers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: inconsistent owners in newly created databases? |
Date: | 2004-05-04 14:34:27 |
Message-ID: | Pine.LNX.4.58.0405041620420.9381@sablons.cri.ensmp.fr |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Dear Tom,
> > UPDATE pg_catalog.pg_namespace
> > SET nspowner=datdba, nspacl=NULL -- NULL means default rights...
> > The later is simple and makes sense anyway for a newly created database.
>
> No, I don't think it does. The DBA presently can set up a site-wide
> policy about use of "public" by altering its permissions in template1.
> For example, he might revoke create access from most users. People will
> be surprised if that fails to carry over to created databases.
Ok, I understand that.
So that would mean switching all grantors to the owner in the aclitem
array? Maybe some function would be useful for that, so as to stick to
SQL:
UPDATE pg_namespace
SET nspowner = datdba,
nspacl = aclitems_switch_grantor(nspacl, datdba)
FROM ... WHERE ...;
but I'm not sure adding such an horrible "user" function in pg_proc would
be welcome, as aclitem accessors were removed two days ago.
The alternative is to do it in C within the backend, but I would have
liked the plain SQL better. Just a mater of taste, I guess.
Pg backend philosophy: why writing SQL if you can do it in C? ;-)
I'll have a look at it if I have time, maybe over the week-end.
Thanks for your insight.
--
Fabien Coelho.
From | Date | Subject | |
---|---|---|---|
Next Message | David Garamond | 2004-05-04 15:11:22 | Re: The features I'm waiting for. |
Previous Message | Tom Lane | 2004-05-04 13:47:42 | Re: inconsistent owners in newly created databases? |