Re: GRANT/roles problem: grant is shown as from login role - Mailing list pgsql-hackers

From Kevin Brown
Subject Re: GRANT/roles problem: grant is shown as from login role
Date
Msg-id 20051013004616.GA14950@filer
Whole thread Raw
In response to Re: GRANT/roles problem: grant is shown as from login role  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tom Lane wrote:
> So I think we don't have much choice but to implement theory #2; which
> is essentially the same thing I said earlier, ie, ACLs have to record
> the grantor of a privilege as being the role actually holding the grant
> option, not the role-member issuing the GRANT.

There are really two different considerations here.

The first is the meaning of the role relationships involved.  With
respect to this, I'm in agreement that the recorded grantor of the
privilege should be the role actually holding the option.

But the second is auditing.  It's useful to know which user/role
actually performed the grant in question, independent of the grant
relationships themselves.

These two are at odds with each other only if the system can record
only one of the two things.  The auditing consideration really argues
for the implementation of an audit trail table/structure, if one
doesn't already exist (and if it already exists, then clearly the ACLs
should be storing the id of the role holding the grant, since the
audit structure will separately record the user/role issuing the
grant).



-- 
Kevin Brown                          kevin@sysexperts.com


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Comments on columns in the pg_catalog tables/views
Next
From: Bruce Momjian
Date:
Subject: Re: How TODO prevent PQfnumber() from lowercasing?