On Fri, Sep 11, 2015 at 9:48 AM, Stephen Frost <sfrost@snowman.net> wrote:
> The only reason to avoid providing that flexibility is the concern that
> it might be misunderstood and users might misconfigure their system.
> Removing the flexibility to have per-command visibility policies and
> instead force a single visibility policy doesn't add any capabilities.
That seems like an extremely weak argument. If a feature can't be
used for anything useful, the fact that it doesn't actively interfere
with the use of other features that are useful is not a reason to keep
it. Clearly, something needs to be done about this. Saying, you can
restrict by something other than ALL but it adds no security and
serves no use cases is, frankly, a ridiculous position. Tom's
proposal downthread is a reasonable one, and I endorse it: there may
be other approaches as well. But regardless of the particular
approach, if we're going to have per-command policies, then you need
to do the work to make them useful.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company