Обсуждение: ALTER USER versus GRANT/REVOKE
Dear PG developers,
beeing used to Oracle, I am a bit confused by PG's SQL support for user rights:
Rather than with "GRANT createdb TO user" user rights are set via "ALTER USER".
Why?
I see the following problems with the current implementation:
a) It is not flexible for future extensions: you always need *two*
keywords for the ALTER USER statement (CREATETABLE/NOCREATETABLE etc.)
The User rights are boolean flags in pg_user, this requires changes
in this table for every little new right (CONNECT, CREATEFUNCTION...).
b) (More important) It does not allow for roles with a user defined
right profile. Eg. it should be possible for database administrators
to define a custom group (eg. "developers") with specific rights:
CREATE GROUP developers;
GRANT CONNECT, CREATETABLE, CREATEFUNCTION to developers;
Or is there some way to accomplish this with the current implementation?
Christoph Dalitz
journal=> \h grant
Command: GRANT
Description: Grants access privilege to a user, a group or all users
Syntax:
GRANT privilege [, ...] ON object [, ...]
TO { PUBLIC | GROUP group | username }
Am I misunderstanding your question, or is this what you're looking for?
-ron
> -----Original Message-----
> From: Christoph Dalitz [mailto:christoph.dalitz@hs-niederrhein.de]
> Sent: Friday, August 30, 2002 1:36 AM
> To: PG Mailing List
> Subject: [GENERAL] ALTER USER versus GRANT/REVOKE
>
>
> Dear PG developers,
>
> beeing used to Oracle, I am a bit confused by PG's SQL
> support for user rights:
> Rather than with "GRANT createdb TO user" user rights are set
> via "ALTER USER".
>
> Why?
>
> I see the following problems with the current implementation:
>
> a) It is not flexible for future extensions: you always need *two*
> keywords for the ALTER USER statement
> (CREATETABLE/NOCREATETABLE etc.)
> The User rights are boolean flags in pg_user, this requires changes
> in this table for every little new right (CONNECT,
> CREATEFUNCTION...).
>
> b) (More important) It does not allow for roles with a user defined
> right profile. Eg. it should be possible for database
> administrators
> to define a custom group (eg. "developers") with specific rights:
>
> CREATE GROUP developers;
> GRANT CONNECT, CREATETABLE, CREATEFUNCTION to developers;
>
> Or is there some way to accomplish this with the current
> implementation?
>
> Christoph Dalitz
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
http://archives.postgresql.org
On Fri, 30 Aug 2002 08:29:11 -0700
Ron Snyder <snyder@roguewave.com> wrote:
>
> journal=> \h grant
> Command: GRANT
> Description: Grants access privilege to a user, a group or all users
> Syntax:
> GRANT privilege [, ...] ON object [, ...]
> TO { PUBLIC | GROUP group | username }
>
> Am I misunderstanding your question, or is this what you're looking for?
>
I was not refering to access privileges for specific objects, but to
general user privileges like
- CREATEDB
- CREATEUSER
- CREATETABLE (not yet supported by PG)
- CREATEFUNCTION (not yet supported by PG)
- ... (not yet supported by PG)
These are granted with ALTER USER in PG 7.2.
Although PG has very limited support for these at the moment, I see
a problem with the current implementation if it is extended to more
user privileges.
Christoph