References and privileges - Mailing list pgsql-sql

From Kyle Bateman
Subject References and privileges
Date
Msg-id 393EECB4.49E68076@actarg.com
Whole thread Raw
List pgsql-sql
wieck@debis.com (Jan Wieck) writes:
>> If one does:
>>
>> [...]
>> grant select on master to a_user;
>> grant select, insert, update, delete on detail to a_user;
>>
>> then if login as "a_user" and does:
>>
>> insert into detail (id, master_id) values (1, 10);
>>
>> this will result in: "ERROR:   master: Permission denied".
>>
>> This seems a bug to me ? Isn't it ?

> Outch,

>     yes,  we  missed  something  here.  Peter,  you  said  you'll
>     probably work  on  the  ACL  stuff  after  7.0.  We  need  to
>     coordinate that work with the function manager redesign to go
>     for SETUID triggers and functions.

Hey Jan:

This one just bit me hard.  We're trying to implement RI so a foreign
key (employee ID number) is verified to exist in the employee table.
Problem is, we have to grant everyone and their dog access to the
employee table (select,update, no less) which contains all kinds of
sensitive data about employees.

We even tried making a limited view of the employee table and
referencing that.  No luck, the RI triggers try to find an OID column in
the referenced table (view).  If we could name a column "oid" in a view,
we might have a chance with this approach.

How hard would it be to get the "grant references" thing going?  Is
there anything I could do to help?

Grant permissions on columns would also solve this problem.  Is that one
huge or not so huge?

Kyle


Attachment

pgsql-sql by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: counting distinct values
Next
From: Joseph Shraibman
Date:
Subject: Re: counting distinct values