Thread: Grant options

Grant options

From
Peter Eisentraut
Date:
I am implementing the grant option feature which enables an object owner
to allows others to re-grant privileges.  For REVOKE you can specify
CASCADE and privileges granted in this manner are revoked recursively.

Currently, I have made it so that you can only give grant options to
users, not groups.  The problem is that when a user has granted privileges
having had the grant option through a group and is later removed from the
group then the privileges should be revoked, but the old problem is that
it's not possible to do this in all databases.

I have extended the aclitem external format as follows:
   grantee=a*bc*/grantor

means the "a" and "c" privileges are held with grant option (the letters
are just examples), and the whole thing was granted by the given grantor.
(You can hold the same privilege many times granted by different users.)

What are the requirements for backward compatibility here?  If the "*" are
missing then the privilege is held without grant option which is currently
the default.  If the "/grantor" portion is missing then it's assumed to be
equivalent to the grantee.  This makes sense in a limited number of cases.
One would like to have the object owner as the default but the
"aclitemout" function doesn't have information about that.

I noted three undocumented SQL function operating on ACLs: aclinsert,
aclremove, aclcontains.  What are those intended for?  How should they
maintain the integrity of the ACL that is ensured by cascading revoke?

In order to query the availability of a grant option I would like to
extend the has_foo_privilege family of functions so that they can take as
the privilege type argument, say, 'UPDATE WITH GRANT OPTION' instead of
'UPDATE'.  In order to be able to represent the grantee/grantor
relationship in the information schema I also need a function
has_foo_privilege_granted_by(grantee, objectid, priv, grantor).

Comments?

-- 
Peter Eisentraut   peter_e@gmx.net



pg_dump ordering

From
"Christopher Kings-Lynne"
Date:
Hey Peter,

I remember a while back you were saying you were working on pg_dump object
ordering?  What happened with that?  Did you need some help with it?

I ask because my 7.2 to 7.3 upgrade is making me cry and I want to prevent
future pain...

Chris



Re: pg_dump ordering

From
Peter Eisentraut
Date:
Christopher Kings-Lynne writes:

> I remember a while back you were saying you were working on pg_dump object
> ordering?  What happened with that?  Did you need some help with it?

I don't remember that and I don't have any specific plans relating to
that.

-- 
Peter Eisentraut   peter_e@gmx.net