Postgres Pro
Downloads
Home   >   mailing lists

Re: GRANT ON ALL IN schema - Mailing list pgsql-hackers

From decibel
Subject Re: GRANT ON ALL IN schema
Date
Msg-id 60269721-937B-477F-BC5E-B71BA453E452@decibel.org
Whole thread Raw
In response to Re: GRANT ON ALL IN schema  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: GRANT ON ALL IN schema  (Richard Huxton <dev@archonet.com>)
List pgsql-hackers
Tree view 
On Aug 5, 2009, at 11:59 AM, Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> ... bulk-grant could be based on object type,
>> object name (with wildcard or regexp pattern), schema membership, or
>> maybe other things, and I think that would be quite useful if we can
>> figure out how to make it clean and elegant.
>
> Yeah.  In the end you can always write a plpgsql function that filters
> on anything at all.  The trick is to pick some useful subset of
> functionality that can be exposed in a less messy way.
>
> Or maybe we are going at this the wrong way?  Would it be better to  
> try
> harder to support the write-a-plpgsql-function approach?  I don't  
> think
> the documentation even mentions that approach, let alone provides any
> concrete examples.  It might be interesting to document it and see if
> there are any simple things we could do to file off rough edges in  
> doing
> grants that way, rather than implementing what must ultimately be a
> limited solution directly in GRANT.

I'm not sure if this is what you were thinking, but something I've  
added to all our databases is a simple exec function (see below).  
This makes it a lot less painful to perform arbitrary operations.  
Perhaps we should add something similar to the core database? On a  
related note, I also have tools.raise(level text, messsage text) that  
allows you to perform a plpgsql RAISE command from sql; I've found  
that to be very useful in scripts to allow for raising an exception.

In this specific case, I think there's enough demand to warrant a  
built-in mechanism for granting, but if something like exec() is  
built-in then the bar isn't as high for what the built-in GRANT  
mechanism needs to handle.

CREATE OR REPLACE FUNCTION tools.exec(    sql text    , echo boolean
) RETURNS text LANGUAGE plpgsql AS $exec$
BEGIN    RAISE DEBUG 'Executing dynamic sql: %', sql;    EXECUTE sql;
    IF echo THEN        RETURN sql;    ELSE        RETURN NULL;    END IF;
END;
$exec$;

The echo parameter is sometimes useful in scripts so you have some  
idea what's going on; but it should be optional.
-- 
Decibel!, aka Jim C. Nasby, Database Architect  decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Null handling and plpython
Next
From: Pavel Stehule
Date:
Subject: Re: GRANT ON ALL IN schema