Re: Role incompatibilities
От | Peter Eisentraut |
---|---|
Тема | Re: Role incompatibilities |
Дата | |
Msg-id | 200603241927.11026.peter_e@gmx.net обсуждение исходный текст |
Ответ на | Re: Role incompatibilities (Stephen Frost <sfrost@snowman.net>) |
Ответы |
Re: Role incompatibilities
(Stephen Frost <sfrost@snowman.net>)
|
Список | pgsql-hackers |
Stephen Frost wrote: > Well.. Applicable roles are roles which you can "SET ROLE" to, but > which you don't automatically get the permissions of (inherit). As I > recall, the spec wants all roles to be like this until an explicit > "SET ROLE" is done. When a "SET ROLE" is done, then that role (and > all other roles granted to it) are "enabled". I admit that I had thought exactly that until just the other day when I started researching this, but in my current understanding the standard means something altogether different. Let's start in part 2, 4.34.4: The term enabled authorization identifiers denotes the set of authorization identifiers whose members are the current useridentifier, the current role name, and every role name that is contained in the current role name. The term applicable privileges for an authorization identifier A denotes the union of the set of privileges whose granteeis PUBLIC with the set of privileges whose grantees are A and, if A is a role name, every role name contained in A. The term current privileges denotes the union of the applicable privileges for the current user identifier with the applicableprivileges for the current role name. This means approximately that the applicable privileges are the enabled privileges plus the privileges granted to PUBLIC. This is also consistent with the definitions of the views applicable_roles and enabled_roles in the information schema. The invocation of these definitions happens in the Access Rules of the various clauses, which typically contain something like this (here for the UPDATE command): The current privileges for TN shall include UPDATE for each <object column>. So what in fact happens here is that the applicable privileges of current user and role determine what you can do. The enabled roles have no practical meaning (except in defining what you can see in the information schema, which is weird). > In Postgres terms, the "pg_has_role()" function can provide the > answer to both questions, based on what's passed in. > > For 'enabled' roles: > > pg_has_role('abc','USAGE'); What this actually gives you is both the enabled and the applicable roles because apparently it doesn't work to grant roles to PUBLIC, which would be the only difference. > For 'applicable' roles: > > pg_has_role('abc','MEMBER'); What you get from this has no equivalent in the SQL standard. -- Peter Eisentraut http://developer.postgresql.org/~petere/
В списке pgsql-hackers по дате отправления: