Re: AW: AW: Proposal for enhancements of privilege system - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: AW: AW: Proposal for enhancements of privilege system
Date
Msg-id Pine.LNX.4.21.0006011540070.372-100000@localhost.localdomain
Whole thread Raw
In response to AW: AW: Proposal for enhancements of privilege system  (Zeugswetter Andreas SB <ZeugswetterA@wien.spardat.at>)
List pgsql-hackers
Zeugswetter Andreas SB writes:

> Again Hmm ? Are you going to do select * from <authtable> where pri="select"
> or some such ? Usually you look up a users rights for a specific table,
> and that needs to be fast.

Exactly, that's why I have to do it like this. To interface a system
catalog to the shared cache you need a primary key, which would be
(object, user, action) in my proposal. With that setup I can easily make
queries of the sort "does user X have select right on table Y" as fast as
possible, no slower than, say, looking up an attribute definition in
pg_attribute.

With several privileges per row you make the table unnecessarily sparse,
you make interfacing to the catalog cache a nightmare, and you create all
sorts of funny implementation problems (for example, revoking a privilege
might be an update or a delete, depending on whether it was the last
privilege revoked).


-- 
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden




pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: config files in /data
Next
From: Tom Lane
Date:
Subject: Re: config files in /data