Dear Tom,
> 4. I think that the system ACL entry should be "hidden" and not
> displayed by ACL-list printing. I'm not quite sure yet how to make
> that happen. It would be nicer if the owner ID could be passed to
> recursive_revoke out-of-band, instead of being represented inside the
> ACL list, but I don't see how to do that for all its callers.
>
> Thoughts?
(1) It seems to me that part of the consequence of what the suggest could be that there would be no such thing as
defaultacl implied by a null entry in an aclitem. If so, this would be a very good thing. However, this has
implicationson pg initialization.
(2) Although I subscribe your first 3 points, I do not like the 4th point. I don't think it is good practice to hide
anything. That would make the acl display less understandable, as part for the reality is not shown. It makes any
externaltool (pgadmin, advisor, whatever else) to have to know this fact and possibly handle it as a special case.
(3) The standard name for the system grantor is "_SYSTEM". User number 0 does not seem a bad idea, but how would it
interactwith number 1? How often in the source code will they have to be tested?
(4) How can/could a super user add or change these system granted privileges? Or should it be forbidden even to the
su?
(5) Some thought could be given to the implication about future ROLEs. I'm interested in roles for my teaching, as
theycould allow a database owner to manage fully the rights of its database wrt to other users without needing any
superuser privilege. Good for students;-)
--
Fabien Coelho - coelho@cri.ensmp.fr
