Re: Allow GRANT/REVOKE permissions to be applied to all schema objects with one command - Mailing list pgsql-hackers

From Merlin Moncure
Subject Re: Allow GRANT/REVOKE permissions to be applied to all schema objects with one command
Date
Msg-id 6EE64EF3AB31D5448D0007DD34EEB3412A75FB@Herge.rcsinc.local
Whole thread Raw
In response to Allow GRANT/REVOKE permissions to be applied to all schema objects with one command  (Matthias Schmidt <schmidtm@mock-software.de>)
Responses Re: Allow GRANT/REVOKE permissions to be applied to all schema objects with one command
List pgsql-hackers
Matthias wrote:
> I think it is best to code the basic functionallity within the two new
> commands, and see
> how this works out. We can add your idea and others on top of it later
> on.

I think you should do whatever you think is most
appropriate...discussion can of course continue after you have a
workable patch...I'm just a pundit anyways...

Just for your consideration though:

Is this:
GRANT SELECT ON ALL TABLES IN public TO phpuser;
GRANT SELECT ON NEW TABLES IN public TO phpuser;

Really better than this?
GRANT { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER
| EXECUTE | CREATE | ALL [ PRIVILEGES ] }    ON SCHEMA schemaname [,
...]   TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT
OPTION ]

A table or function privilege, if it exists, will override anything for
the table.  This will be faster (FWIW) than a multiple table grant
because it's just setting one permission at the schema level.  Someone
else will have to comment on how effectively this will work with
existing implementation, however.

For example, granting 'select' to a schema (which currently is
impossible) solves both the 'all'/'new' problem...it implicitly adds
select privileges to all current tables and new ones...is there really
any reason to distinguish between the two cases?  This is simple and
effective, IMO.

Good luck,
Merlin


pgsql-hackers by date:

Previous
From: Gaetano Mendola
Date:
Subject: Re: weird behaviour on DISTINCT ON
Next
From: Tom Lane
Date:
Subject: Re: weird behaviour on DISTINCT ON