Re: AW: AW: Proposal for enhancements of privilege system

Zeugswetter Andreas SB writes:

> Again Hmm ? Are you going to do select * from <authtable> where pri="select"
> or some such ? Usually you look up a users rights for a specific table,
> and that needs to be fast.

Exactly, that's why I have to do it like this. To interface a system
catalog to the shared cache you need a primary key, which would be
(object, user, action) in my proposal. With that setup I can easily make
queries of the sort "does user X have select right on table Y" as fast as
possible, no slower than, say, looking up an attribute definition in
pg_attribute.

With several privileges per row you make the table unnecessarily sparse,
you make interfacing to the catalog cache a nightmare, and you create all
sorts of funny implementation problems (for example, revoking a privilege
might be an update or a delete, depending on whether it was the last
privilege revoked).


-- 
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden