Re: pre-proposal: permissions made easier
| От | Tom Lane |
|---|---|
| Тема | Re: pre-proposal: permissions made easier |
| Дата | |
| Msg-id | 11946.1246215417@sss.pgh.pa.us обсуждение |
| Ответ на | Re: pre-proposal: permissions made easier (Jeff Davis <pgsql@j-davis.com>) |
| Ответы |
Re: pre-proposal: permissions made easier
|
| Список | pgsql-hackers |
Jeff Davis <pgsql@j-davis.com> writes:
> On Sun, 2009-06-28 at 14:32 -0400, Tom Lane wrote:
>> Jeff Davis <pgsql@j-davis.com> writes:
>>> My idea is to have a "GRANT mask":
>>> CREATE ROLE foo_ro GRANT (SELECT ON TABLE, USAGE ON SCHEMA) FROM foo;
>>
>> You haven't really explained what "foo" is here.
> I meant for "foo" to be a user. "foo_ro" would be the read-only version,
> who has a strict subset of foo's permissions.
I see. It seems like rather a complicated (and expensive) mechanism
for a pretty narrow use-case. It'd only help for the cases where you
could define your permissions requirements that way. I agree that
there are some such cases, but I think real-world problems tend to be
a bit more complicated than that. I fear people would soon want
exceptions to the "strict subset" rule; and once you put that in,
the conceptual simplicity disappears, as does the ability to easily
verify what the set of GRANTs is doing.
regards, tom lane
В списке pgsql-hackers по дате отправления: