* Robert Haas (robertmhaas@gmail.com) wrote:
> On Tue, Jun 17, 2014 at 10:06 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > I had taken it to be a single privilege, but you're right, it could be
> > done for each of those.. I really don't think we have the bits for more
> > than one case here though (if that) without a fair bit of additional
> > rework. I'm not against that rework (and called for it wayyy back when
> > I proposed the TRUNCATE privilege, as I recall) but that's a whole
> > different challenge and no small bit of work..
>
> Technically, there are 4 bits left, and that's what we need for
> separate privileges.
I'd really hate to chew them all up..
> We last consumed bits in 2008 (for TRUNCATE) and
> 2006 (for GRANT ON DATABASE), so even if we used all of the remaining
> bits it might be another 5 years before anyone has to do that
> refactoring.
Perhaps, or we might come up with some new whiz-bang permission to add
next year. :/
> But even if the refactoring needs to be done now for
> some reason, it's only June, and the last CommitFest doesn't start
> until February 15th. I think we're being way too quick to jump to
> talking about what can and can't be done in time for 9.5. Let's start
> by figuring out how we'd really like it to work and then, if it's too
> ambitious, we can scale it back.
Alright- perhaps we can discuss what kind of refactoring would be needed
for such a change then, to get a better idea as to the scope of the
change and the level of effort required.
My thoughts on how to address this were to segregate the ACL bits by
object type. That is to say, the AclMode stored for databases might
only use bits 0-2 (create/connect/temporary), while tables would use
bits 0-7 (insert/select/update/delete/references/trigger). This would
allow us to more easily add more rights at the database and/or
tablespace level too.
> My main concern about using only one bit is that someone might want to
> allow a user to bypass RLS on SELECT while still enforcing it for
> data-modifying operations. That seems like a plausible use case to
> me.
I absolutely agree that it's a real use-case and one which we should
support, just trying to avoid biting off more than can be done between
now and February. Still, if we get things hammered out and more-or-less
agreement on the way forward, getting the code written may move quickly.
Thanks,
Stephen
