Thread: Re: [HACKERS] RFC: Security and Impersonation

Re: [HACKERS] RFC: Security and Impersonation

From
Philip Warner
Date:
At 10:51 23/07/99 -0400, you wrote:
>
>We have some of this, I think, from ACLs on tables and views.  But
>as far as I know there is not a notion of a "suid view", one with
>different privileges from its caller.  It sounds like a good thing
>to work on.  Is there any standard in the area?
>

I'll look through the SQL3 stuff, and see what I can find.

I've now done this,and it's in the SQL3 standard. It is implemented via
Modules. The idea being that all routines (procedures and functions) apear
in a module, and that the module can have a 'Module Authorization
Identifier'. The syntax is:

Create Module MY_MODULE Language SQLAuthorization SOME_ID

Procedure Some_Procedure....

...etc

End Module;

If the auth. ID is specified, then (quoting from the standard p. 95):
        "... that <module authorization        identifier> is used as the current <authorization identifier> for
theexecution of all <routine>s in the <module>. If the <module        authorization identifier> is not specified, then
theSQL-session        <authorization identifier> is used as the current <authorization        identifier> for the
executionof each <routine> in the <module>.
 

Let me know if you want to know more. The relevant standard can be found at:

ftp://gatekeeper.dec.com/pub/standards/sql/sql-foundation-aug94.txt


----------------------------------------------------------------
Philip Warner                    |     __---_____
Albatross Consulting Pty. Ltd.   |----/       -  \
(A.C.N. 008 659 498)             |          /(@)   ______---_
Tel: +61-03-5367 7422            |                 _________  \
Fax: +61-03-5367 7430            |                 ___________ |
Http://www.rhyme.com.au          |                /           \|                                |    --________--
PGP key available upon request,  |  /
and from pgp5.ai.mit.edu:11371   |/


Re: [HACKERS] RFC: Security and Impersonation

From
Tom Lane
Date:
Philip Warner <pjw@rhyme.com.au> writes:
> I'll look through the SQL3 stuff, and see what I can find.
>
> I've now done this,and it's in the SQL3 standard. It is implemented via
> Modules. The idea being that all routines (procedures and functions) apear
> in a module, and that the module can have a 'Module Authorization
> Identifier'.

Cool.  I doubt anyone will object to adding this SQL3 feature to
Postgres, if you feel like working on it.
        regards, tom lane