Re: Schema security - Mailing list pgsql-admin

From Alvaro Herrera
Subject Re: Schema security
Date
Msg-id 20071213130114.GB6262@alvh.no-ip.org
Whole thread Raw
In response to Re: Schema security  (Paul Lambert <paul.lambert@reynolds.com.au>)
List pgsql-admin
Paul Lambert wrote:

> Taking your example of file permissions - although it is not default
> behavior, it is possible to recursively apply a priviledge change to a
> directory onto files/subdirectories within it. Certainly it can be done on
> OpenVMS and Windows that I work with primarily and I'm 99% sure it can be
> done on *ix systems too.
>
> I.e.
> GRANT ALL ON SCHEMA <blah> TO <role> CASCADE;
> NOTICE: GRANT ALL cascades to table "billings"
> NOTICE: GRANT ALL cascades to table "customers"
> NOTICE: GRANT ALL cascades to function "calculate_daily_balance()"
> etc...

Yes, it can be done at least with GNU chmod by using chmod -R.

The problem is that it doesn't work too well for schemas -> tables,
because the set of acceptable privileges is completely different.  So
the only case that would work is GRANT ALL.  Perhaps what could work is
to be able to specify wildcards in GRANT, for example

GRANT SELECT, INSERT ON TABLE schema.* TO <role>

The problem with this idea is what happens if you create a new table in
that schema?  Is the role given access to that table?  (The other
problem is whether this new command conforms to the SQL standard, or is
it in conflict with it.)

--
Alvaro Herrera                 http://www.amazon.com/gp/registry/CTMLCN8V17R4
"Estoy de acuerdo contigo en que la verdad absoluta no existe...
El problema es que la mentira sí existe y tu estás mintiendo" (G. Lama)

pgsql-admin by date:

Previous
From: Paul Lambert
Date:
Subject: Re: Schema security
Next
From: olivier boissard
Date:
Subject: Re: improve performance in a big table