Thread: Modifying pg_shadow?

Modifying pg_shadow?

From
Jason Hihn
Date:
I wish to track some additional info about users. Can I just add columns to
the pg_shadow table? Can I add a system table while I am at it? (how?)

How do I back up the pg_ system tables?

Thanks

Jason Hihn
Paytime Payroll



Re: Modifying pg_shadow?

From
Tom Lane
Date:
Jason Hihn <jhihn@paytimepayroll.com> writes:
> I wish to track some additional info about users. Can I just add columns to
> the pg_shadow table?

Not without modifying the C code that manipulates pg_shadow (at the very
least, some routines in src/backend/commands/user.c would have to
change, and you'd need to update src/include/catalog/pg_shadow.h).

> Can I add a system table while I am at it? (how?)

What's your idea of a "system table"?  Mine is one that some C code in
the backend knows about explicitly.  Unless you've written some C code
that accesses a table, it's not a system table.  The infrastructure for
doing this is at least a header in include/catalog/, usually more
depending on whether you need things like cache support for the new
table.  You might care to look at all the code referencing one of the
lesser-used catalogs, perhaps pg_language or pg_cast, to get a sense of
what is involved.

> How do I back up the pg_ system tables?

They aren't backed up as such; all the useful content is included in the
schema information output by pg_dump or pg_dumpall.

            regards, tom lane

Re: Modifying pg_shadow?

From
Jason Hihn
Date:

> -----Original Message-----
> From: pgsql-novice-owner@postgresql.org
> [mailto:pgsql-novice-owner@postgresql.org]On Behalf Of Tom Lane
> Sent: Monday, September 08, 2003 4:48 PM
> To: Jason Hihn
> Cc: pgsql-novice@postgresql.org
> Subject: Re: [NOVICE] Modifying pg_shadow?
>
>
> Jason Hihn <jhihn@paytimepayroll.com> writes:
> > I wish to track some additional info about users. Can I just
> add columns to
> > the pg_shadow table?
>
> Not without modifying the C code that manipulates pg_shadow (at the very
> least, some routines in src/backend/commands/user.c would have to
> change, and you'd need to update src/include/catalog/pg_shadow.h).


If I could write code to handle tables with extra columns, can't the
back-end do it too? It would be poetic to have the backend process itself
with itself. (It appears you hard code these tables?) Not to mention
extremely flexible.

> > Can I add a system table while I am at it? (how?)
>
> What's your idea of a "system table"?  Mine is one that some C code in
> the backend knows about explicitly.  Unless you've written some C code
> that accesses a table, it's not a system table.  The infrastructure for
> doing this is at least a header in include/catalog/, usually more
> depending on whether you need things like cache support for the new
> table.  You might care to look at all the code referencing one of the
> lesser-used catalogs, perhaps pg_language or pg_cast, to get a sense of
> what is involved.

A 'system table' to me is one provided by Postgres. It is the set of tables
that exist with no user databases and user tables.

> > How do I back up the pg_ system tables?
>
> They aren't backed up as such; all the useful content is included in the
> schema information output by pg_dump or pg_dumpall.

What database name should pg_dump be given? This is a horrid omission from
the online docs! Furthermore, there is also no system database listed in
pg_database.

What I am trying to do, is I need Postgres to handle a thousand users and
several hundred databases. I need somewhere to store what type the user is
(our employee or a client's employee), along with a permission list for that
user - what database(s) that person can access. I have not yet found
something like a pg_grant table to tell me that. There must be one. What is
it?


Re: Modifying pg_shadow?

From
Oliver Fromme
Date:
Jason Hihn wrote:
 > Tom Lane wrote:
 >
 > > > How do I back up the pg_ system tables?
 > >
 > > They aren't backed up as such; all the useful content is included in the
 > > schema information output by pg_dump or pg_dumpall.
 >
 > What database name should pg_dump be given? This is a horrid omission from
 > the online docs! Furthermore, there is also no system database listed in
 > pg_database.

I think "pg_dumpall -g" is what you want.  That _is_ in the
online docs.

However, I agree that restoring a complete PG cluster from
scratch seems to be somewhat difficult.  You still have to
do a lot of things manually in order to get everything right
without missing anything.  At least that's my impression.

 > What I am trying to do, is I need Postgres to handle a thousand users and
 > several hundred databases. I need somewhere to store what type the user is
 > (our employee or a client's employee), along with a permission list for that
 > user - what database(s) that person can access. I have not yet found
 > something like a pg_grant table to tell me that. There must be one. What is
 > it?

I think you might want to look at the relacl column of the
pg_class table.

However, in your case, it might be beneficial to store the
data about users in your own database, in a format which is
suitable for your use.  You can then generate grant/revoke
commands from that if necessary.  It would also be a lot
more portable than depending on the internal structure of
PG system tables.

Just my 0.02 Euro.

Regards
   Oliver

--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination
of their C programs."
        -- Robert Firth

Re: Modifying pg_shadow?

From
Jason Hihn
Date:

> -----Original Message-----
> From: Oliver Fromme [mailto:olli@lurza.secnetix.de]
> Sent: Tuesday, September 09, 2003 9:37 AM
> To: Jason Hihn
> Cc: Tom Lane; pgsql-novice@postgresql.org
> Subject: Re: [NOVICE] Modifying pg_shadow?
>
>
>
> Jason Hihn wrote:
>  > Tom Lane wrote:
>  >
>  > > > How do I back up the pg_ system tables?
>  > >
>  > > They aren't backed up as such; all the useful content is
> included in the
>  > > schema information output by pg_dump or pg_dumpall.
>  >
>  > What database name should pg_dump be given? This is a horrid
> omission from
>  > the online docs! Furthermore, there is also no system database
> listed in
>  > pg_database.
>
> I think "pg_dumpall -g" is what you want.  That _is_ in the
> online docs.

> However, I agree that restoring a complete PG cluster from
> scratch seems to be somewhat difficult.  You still have to
> do a lot of things manually in order to get everything right
> without missing anything.  At least that's my impression.
>
"Chapter 9. Backup and Restore":
pg_dump dbname > outfile

What's the dbname for the system tables? The -g option of pg_dumpall only
does users and groups. No other tables. (Eek!)

>
> I think you might want to look at the relacl column of the
> pg_class table.

Ah, wonderful. This is what I was looking for. Though in the past I've used
databases where I wouldn't have to parse this text. It was quite easy and
fun to work with as tuple data. *wink*

Ok, so I have a question If I have 2 databases, a and b, and they both have
a table, c, how do I grant permissions only to table a.t and not both tables
in both databases at the same time? The intituve answer is not correct -
that 'ON a.t ...' does not work.

> However, in your case, it might be beneficial to store the
> data about users in your own database, in a format which is
> suitable for your use.  You can then generate grant/revoke
> commands from that if necessary.  It would also be a lot
> more portable than depending on the internal structure of
> PG system tables.

I really don't want to have to re-invent the wheel here.

Thank you for your help, I'm headed in the right direction now.


Re: Modifying pg_shadow?

From
Bruce Momjian
Date:
Jason Hihn wrote:
>
>
> > -----Original Message-----
> > From: pgsql-novice-owner@postgresql.org
> > [mailto:pgsql-novice-owner@postgresql.org]On Behalf Of Tom Lane
> > Sent: Monday, September 08, 2003 4:48 PM
> > To: Jason Hihn
> > Cc: pgsql-novice@postgresql.org
> > Subject: Re: [NOVICE] Modifying pg_shadow?
> >
> >
> > Jason Hihn <jhihn@paytimepayroll.com> writes:
> > > I wish to track some additional info about users. Can I just
> > add columns to
> > > the pg_shadow table?
> >
> > Not without modifying the C code that manipulates pg_shadow (at the very
> > least, some routines in src/backend/commands/user.c would have to
> > change, and you'd need to update src/include/catalog/pg_shadow.h).
>
>
> If I could write code to handle tables with extra columns, can't the
> back-end do it too? It would be poetic to have the backend process itself
> with itself. (It appears you hard code these tables?) Not to mention
> extremely flexible.

We do use PostgreSQL to process itself. There is the bootstrap problem
of how to start things.

> > > Can I add a system table while I am at it? (how?)
> >
> > What's your idea of a "system table"?  Mine is one that some C code in
> > the backend knows about explicitly.  Unless you've written some C code
> > that accesses a table, it's not a system table.  The infrastructure for
> > doing this is at least a header in include/catalog/, usually more
> > depending on whether you need things like cache support for the new
> > table.  You might care to look at all the code referencing one of the
> > lesser-used catalogs, perhaps pg_language or pg_cast, to get a sense of
> > what is involved.
>
> A 'system table' to me is one provided by Postgres. It is the set of tables
> that exist with no user databases and user tables.

Just put the table in template1 and it will be added to every database
you create.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: Modifying pg_shadow?

From
Tom Lane
Date:
Jason Hihn <jhihn@paytimepayroll.com> writes:
>> Not without modifying the C code that manipulates pg_shadow (at the very
>> least, some routines in src/backend/commands/user.c would have to
>> change, and you'd need to update src/include/catalog/pg_shadow.h).

> If I could write code to handle tables with extra columns, can't the
> back-end do it too? It would be poetic to have the backend process itself
> with itself.

There's a bootstrapping problem involved; how are you going to process
the tables that tell you what tables contain?  I don't see any
reasonable way that the core catalogs (pg_class, pg_attribute, probably
pg_type and pg_proc) could be handled without hard-coding knowledge of
their contents.  Non-core catalogs could perhaps be handled using
different methods, but it's easier to use the same coding style
throughout the backend.

> What I am trying to do, is I need Postgres to handle a thousand users and
> several hundred databases. I need somewhere to store what type the user is
> (our employee or a client's employee), along with a permission list for that
> user - what database(s) that person can access. I have not yet found
> something like a pg_grant table to tell me that. There must be one. What is
> it?

For "database" you most likely want to think "schema", instead.  Then
you just grant or revoke access as needed.  You might want to assign
users to groups rather than having to manage access rights individually.

            regards, tom lane

Re: Modifying pg_shadow?

From
Tom Lane
Date:
Jason Hihn <jhihn@paytimepayroll.com> writes:
> Ok, so I have a question If I have 2 databases, a and b, and they both have
> a table, c, how do I grant permissions only to table a.t and not both tables
> in both databases at the same time? The intituve answer is not correct -
> that 'ON a.t ...' does not work.

Perhaps you'd better show us exactly what you tried, because the above
doesn't have any connection to my view of reality.  I don't see any way
that a single grant command could affect two databases.

            regards, tom lane

Re: Modifying pg_shadow?

From
Oliver Fromme
Date:
Jason Hihn wrote:
 > "Chapter 9. Backup and Restore":
 > pg_dump dbname > outfile

That'll backup a complete database.

 > What's the dbname for the system tables?

There is none.  The system tables are always visible, no
matter which DB you're connected to.  That's why they are
system tables ...

 > The -g option of pg_dumpall only
 > does users and groups. No other tables. (Eek!)

What other information do you need to be dumped?  Users and
groups are the _only_ global (i.e. cluster-wide) objects,
as far as I have learned.  Everything else is related to a
specific database, so it will be dumped along with that
database when you use pg_dump.

 > Ah, wonderful. This is what I was looking for. Though in the past I've used
 > databases where I wouldn't have to parse this text. It was quite easy and
 > fun to work with as tuple data. *wink*

In my opinion it shouldn't be visible at all, because it
encourages all kinds of abuse ...

 > Ok, so I have a question If I have 2 databases, a and b, and they both have
 > a table, c, how do I grant permissions only to table a.t and not both tables
 > in both databases at the same time? The intituve answer is not correct -
 > that 'ON a.t ...' does not work.

You're always connected to one database.  A GRANT command
will affect only that database, nothing else.  Even when
you issue GRANT on system tables (which are visible in
every database), the change will only affect the database
you're connected to.  I learned that a few days ago, thanks
to Tom Lane.  :-)

 > > However, in your case, it might be beneficial to store the
 > > data about users in your own database, in a format which is
 > > suitable for your use.  You can then generate grant/revoke
 > > commands from that if necessary.  It would also be a lot
 > > more portable than depending on the internal structure of
 > > PG system tables.
 >
 > I really don't want to have to re-invent the wheel here.

Well, if you prefer to use ready-made wheels which are
square instead of round ...  ;-)

Regards
   Oliver

PS:  I'm still a novice, too, so if I talk nonsense, please
someone correct me.  :-)

--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"A language that doesn't have everything is actually easier
to program in than some that do."
        -- Dennis M. Ritchie

Re: Modifying pg_shadow?

From
Jason Hihn
Date:

> -----Original Message-----
> From: pgsql-novice-owner@postgresql.org
> [mailto:pgsql-novice-owner@postgresql.org]On Behalf Of Oliver Fromme
> Sent: Tuesday, September 09, 2003 11:55 AM
> To: Jason Hihn
> Cc: pgsql-novice@postgresql.org
> Subject: Re: [NOVICE] Modifying pg_shadow?
>
>
>
> Jason Hihn wrote:
>  > "Chapter 9. Backup and Restore":
>  > pg_dump dbname > outfile
>
> That'll backup a complete database.
>
>  > What's the dbname for the system tables?
>
> There is none.  The system tables are always visible, no
> matter which DB you're connected to.  That's why they are
> system tables ...
>
>  > The -g option of pg_dumpall only
>  > does users and groups. No other tables. (Eek!)
>
> What other information do you need to be dumped?  Users and
> groups are the _only_ global (i.e. cluster-wide) objects,
> as far as I have learned.  Everything else is related to a
> specific database, so it will be dumped along with that
> database when you use pg_dump.
>

OOOh.


>  > Ah, wonderful. This is what I was looking for. Though in the
> past I've used
>  > databases where I wouldn't have to parse this text. It was
> quite easy and
>  > fun to work with as tuple data. *wink*
>
> In my opinion it shouldn't be visible at all, because it
> encourages all kinds of abuse ...

Abuse? I guess you could find out who as access to what and limit your
pasword guessing t a few accounts, but even then it's just a matter of time.

>  > Ok, so I have a question If I have 2 databases, a and b, and
> they both have
>  > a table, c, how do I grant permissions only to table a.t and
> not both tables
>  > in both databases at the same time? The intituve answer is not
> correct -
>  > that 'ON a.t ...' does not work.
>
> You're always connected to one database.  A GRANT command
> will affect only that database, nothing else.  Even when
> you issue GRANT on system tables (which are visible in
> every database), the change will only affect the database
> you're connected to.  I learned that a few days ago, thanks
> to Tom Lane.  :-)

That would be a worth while addition to the docs - that it effects only the
currently connected database.

>  > > However, in your case, it might be beneficial to store the
>  > > data about users in your own database, in a format which is
>  > > suitable for your use.  You can then generate grant/revoke
>  > > commands from that if necessary.  It would also be a lot
>  > > more portable than depending on the internal structure of
>  > > PG system tables.
>  >
>  > I really don't want to have to re-invent the wheel here.
>
> Well, if you prefer to use ready-made wheels which are
> square instead of round ...  ;-)

Well, I'd rather use your wheel and knock off a few corners...

Thanks to everyone - I think all my questions for now are solved!


Re: Modifying pg_shadow?

From
Tom Lane
Date:
Oliver Fromme <olli@lurza.secnetix.de> writes:
> There is none.  The system tables are always visible, no
> matter which DB you're connected to.  That's why they are
> system tables ...

> You're always connected to one database.  A GRANT command
> will affect only that database, nothing else.  Even when
> you issue GRANT on system tables (which are visible in
> every database), the change will only affect the database
> you're connected to.

To enlarge on that a little: for the most part, each database has its
own copy of the system catalogs (created when CREATE DATABASE clones
the contents of template1).  This is why when you create a table in
one database, it's visible in pg_class in that database but not in other
databases.  CREATE TABLE only affects the local copy of pg_class.

The exception to this is the "shared" system catalogs pg_database,
pg_shadow, pg_group.  There is only one cluster-wide copy of these
tables (and their indexes).  That's why you can find out what other
databases exist in the cluster, and why you can create users and
groups that are valid across the cluster and not just in one database.

If you try to do something like GRANT or REVOKE on a system catalog,
you are modifying the local copy of pg_class, and so the effects
are only visible in your current database.  This is true even if the
catalog in question is one of the shared catalogs --- the *contents*
of the shared catalogs are shared, but the metadata about them is
not.

The reason for "pg_dumpall -g" to exist is precisely that users and
groups are cluster-wide.  Everything else (including the pg_database
attributes of a particular database) is dumped by pg_dump acting on
individual databases.  But it would not be useful for each such pg_dump
run to dump CREATE USER/GROUP commands.  So pg_dumpall dumps those
separately, then invokes pg_dump successively on each database.

BTW: the separate-databases mechanism is invaluable for experimental or
development work --- no matter how badly you screw up the contents of
pg_class or pg_proc, you can only corrupt the database you are working
in, and the rest of the cluster can sail along just fine.  But for most
production scenarios, it's probably overkill; do you really need to copy
all the system catalogs for each user?  I'd recommend looking at using
multiple schemas within a single database, instead.  Schemas are much
lighter-weight than databases.  They also allow controlled sharing of
information, whereas in a multiple-databases installation there is no
convenient way to access data from different databases.

            regards, tom lane

Re: Modifying pg_shadow?

From
Jason Hihn
Date:
Wow. I learned a lot just now... You have me interested in these 'schemas' I
know they are new for 7.3, so where can I find more info on them? (I read
Section 2.8)

It now looks like I can't do what I intended and I'll have to create my own
master permission list table, in addition to posture's. But I'll ask it - is
there a way to get all pg_class info for all tables in all databases
(schemas)?

Reading the docs (2.8), this is what I gather:
--Setup:
1) create a database (D), fill with objects
2) create a schema (S)(inherits current database's objects)
--Apps:
1) Connect to database D
2) SET search_path TO S, public; (for not having to scope all sql to this
schema)
3) use the schema as if it were a separate database  i.e. (select
S.tablename -> select tablename, because of my previous step)

Now, what are the implications for:
backups - If I do a pg_dump, it'll dump all schemas? Can I dump just one?
creating tables in the schema - they stay in that schema only?
modifying the database from which the schema was created - modifies all
schemas descended from that database?
create table with my step #2 above - does it go in the schema or the
database?

I think that does it for now...


> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: Tuesday, September 09, 2003 12:24 PM
> To: Oliver Fromme
> Cc: Jason Hihn; pgsql-novice@postgresql.org
> Subject: Re: [NOVICE] Modifying pg_shadow?
>
>
> Oliver Fromme <olli@lurza.secnetix.de> writes:
> > There is none.  The system tables are always visible, no
> > matter which DB you're connected to.  That's why they are
> > system tables ...
>
> > You're always connected to one database.  A GRANT command
> > will affect only that database, nothing else.  Even when
> > you issue GRANT on system tables (which are visible in
> > every database), the change will only affect the database
> > you're connected to.
>
> To enlarge on that a little: for the most part, each database has its
> own copy of the system catalogs (created when CREATE DATABASE clones
> the contents of template1).  This is why when you create a table in
> one database, it's visible in pg_class in that database but not in other
> databases.  CREATE TABLE only affects the local copy of pg_class.
>
> The exception to this is the "shared" system catalogs pg_database,
> pg_shadow, pg_group.  There is only one cluster-wide copy of these
> tables (and their indexes).  That's why you can find out what other
> databases exist in the cluster, and why you can create users and
> groups that are valid across the cluster and not just in one database.
>
> If you try to do something like GRANT or REVOKE on a system catalog,
> you are modifying the local copy of pg_class, and so the effects
> are only visible in your current database.  This is true even if the
> catalog in question is one of the shared catalogs --- the *contents*
> of the shared catalogs are shared, but the metadata about them is
> not.
>
> The reason for "pg_dumpall -g" to exist is precisely that users and
> groups are cluster-wide.  Everything else (including the pg_database
> attributes of a particular database) is dumped by pg_dump acting on
> individual databases.  But it would not be useful for each such pg_dump
> run to dump CREATE USER/GROUP commands.  So pg_dumpall dumps those
> separately, then invokes pg_dump successively on each database.
>
> BTW: the separate-databases mechanism is invaluable for experimental or
> development work --- no matter how badly you screw up the contents of
> pg_class or pg_proc, you can only corrupt the database you are working
> in, and the rest of the cluster can sail along just fine.  But for most
> production scenarios, it's probably overkill; do you really need to copy
> all the system catalogs for each user?  I'd recommend looking at using
> multiple schemas within a single database, instead.  Schemas are much
> lighter-weight than databases.  They also allow controlled sharing of
> information, whereas in a multiple-databases installation there is no
> convenient way to access data from different databases.
>
>             regards, tom lane
>


Re: Modifying pg_shadow?

From
Oliver Fromme
Date:
Jason Hihn wrote:
 > Wow. I learned a lot just now... You have me interested in these 'schemas' I
 > know they are new for 7.3, so where can I find more info on them? (I read
 > Section 2.8)

I think the docs contain all necessary information.  You
should also have a look at the description of CREATE SCHEMA
in the SQL Commands section of the Reference Manual.

 > It now looks like I can't do what I intended and I'll have to create my own
 > master permission list table, in addition to posture's. But I'll ask it - is
 > there a way to get all pg_class info for all tables in all databases
 > (schemas)?

Not easily.  You'll have to connect to all databases in
turn.  For example, a little shell script like this will
do it (caution, this is from the top of my head, not
tested):

DBSEL="SELECT datname FROM pg_database WHERE datname != 'template0'"
psql -q -t -A -d template1 -c "$DBSEL" \
| while read DATNAME; do
        psql ... -d $DATNAME -c "select * from pg_class"
done

Alternatively, the shell script could build a script for
psql using the \c meta-command to change databases, so
psql doesn't have to be exec'ed a hundred times if you
have a hundred databases ...

 > Reading the docs (2.8), this is what I gather:
 > --Setup:
 > 1) create a database (D), fill with objects
 > 2) create a schema (S)(inherits current database's objects)

No.  The objects already belong to the "public" schema.
When you create a new schema, it won't inherit them.
It will be empty.

You should create the schema first, then create the
objects inside that schema.

Remember that schemas are namespaces.  Think of it like
directories in a filesystem, as an analogy.  The database
would be the filesystem, the schemas are directories (only
one level of them, though, as in MS-DOS 1.0), and the
tables are files in that directory.

 > --Apps:
 > 1) Connect to database D
 > 2) SET search_path TO S, public; (for not having to scope all sql to this
 > schema)
 > 3) use the schema as if it were a separate database  i.e. (select
 > S.tablename -> select tablename, because of my previous step)

Right.  You have to be careful with permissions, though.
You can configure HBA access based on databases, but not
based on schemas.  You need to use GRANT / REVOKE.

 > Now, what are the implications for:
 > backups - If I do a pg_dump, it'll dump all schemas?

Yes.

 > Can I dump just one?

You can dump all tables that are contained in one schema.

 > creating tables in the schema - they stay in that schema only?

Yes.  Remember, a schema is just a namespace.

 > modifying the database from which the schema was created - modifies all
 > schemas descended from that database?

What exactly do you mean?  What modification?

 > create table with my step #2 above - does it go in the schema or the
 > database?

It will always go into a schema, either your self-defined
one, or the the "public" schema, depending on your search
path (if you don't specify the schema explicitely).  The
function current_schema() will tell you in which one a
newly created table will go.

Regards
   Oliver

--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"... there are two ways of constructing a software design:  One way
is to make it so simple that there are _obviously_ no deficiencies and
the other way is to make it so complicated that there are no _obvious_
deficiencies."        -- C.A.R. Hoare, ACM Turing Award Lecture, 1980

Re: Modifying pg_shadow?

From
Jason Hihn
Date:
AAAh. I'll have to write a PostgreSQL Schema for Dummies page. ;-)

Correct me if I'm wrong:
I can create payroll.accountname.* (d.s.t), but the login security can only
auth to database level. Meaning my schema security must fall upon
grant/revoke.

I could then create payroll.tax (d.s), and set the search_path=account,tax
and share the same tax tables between all accounts.

Any database table (database.table) is in the public schema, with pg_*
ALWAYS avaible regardless of search_path. (so I could also do
payroll.taxtable{1,2,3} and still share but with search_path=account,public

How is the pg_dump done when only done for a schema?
"pg_dump d.s"?

Looks like I have to u/g from 7.2 to 7.3 sooner than I thought. Any word on
7.4? (Yeah, I know, "when its ready" but how ready does it look?)

Thanks a bunch, again.


> -----Original Message-----
> From: Oliver Fromme [mailto:olli@lurza.secnetix.de]
> Sent: Tuesday, September 09, 2003 3:20 PM
> To: Jason Hihn
> Cc: Tom Lane; pgsql-novice@postgresql.org
> Subject: Re: [NOVICE] Modifying pg_shadow?
>
>
>
> Jason Hihn wrote:
>  > Wow. I learned a lot just now... You have me interested in
> these 'schemas' I
>  > know they are new for 7.3, so where can I find more info on
> them? (I read
>  > Section 2.8)
>
> I think the docs contain all necessary information.  You
> should also have a look at the description of CREATE SCHEMA
> in the SQL Commands section of the Reference Manual.
>
>  > It now looks like I can't do what I intended and I'll have to
> create my own
>  > master permission list table, in addition to posture's. But
> I'll ask it - is
>  > there a way to get all pg_class info for all tables in all databases
>  > (schemas)?
>
> Not easily.  You'll have to connect to all databases in
> turn.  For example, a little shell script like this will
> do it (caution, this is from the top of my head, not
> tested):
>
> DBSEL="SELECT datname FROM pg_database WHERE datname != 'template0'"
> psql -q -t -A -d template1 -c "$DBSEL" \
> | while read DATNAME; do
>         psql ... -d $DATNAME -c "select * from pg_class"
> done
>
> Alternatively, the shell script could build a script for
> psql using the \c meta-command to change databases, so
> psql doesn't have to be exec'ed a hundred times if you
> have a hundred databases ...
>
>  > Reading the docs (2.8), this is what I gather:
>  > --Setup:
>  > 1) create a database (D), fill with objects
>  > 2) create a schema (S)(inherits current database's objects)
>
> No.  The objects already belong to the "public" schema.
> When you create a new schema, it won't inherit them.
> It will be empty.
>
> You should create the schema first, then create the
> objects inside that schema.
>
> Remember that schemas are namespaces.  Think of it like
> directories in a filesystem, as an analogy.  The database
> would be the filesystem, the schemas are directories (only
> one level of them, though, as in MS-DOS 1.0), and the
> tables are files in that directory.
>
>  > --Apps:
>  > 1) Connect to database D
>  > 2) SET search_path TO S, public; (for not having to scope all
> sql to this
>  > schema)
>  > 3) use the schema as if it were a separate database  i.e. (select
>  > S.tablename -> select tablename, because of my previous step)
>
> Right.  You have to be careful with permissions, though.
> You can configure HBA access based on databases, but not
> based on schemas.  You need to use GRANT / REVOKE.
>
>  > Now, what are the implications for:
>  > backups - If I do a pg_dump, it'll dump all schemas?
>
> Yes.
>
>  > Can I dump just one?
>
> You can dump all tables that are contained in one schema.
>
>  > creating tables in the schema - they stay in that schema only?
>
> Yes.  Remember, a schema is just a namespace.
>
>  > modifying the database from which the schema was created - modifies all
>  > schemas descended from that database?
>
> What exactly do you mean?  What modification?
>
>  > create table with my step #2 above - does it go in the schema or the
>  > database?
>
> It will always go into a schema, either your self-defined
> one, or the the "public" schema, depending on your search
> path (if you don't specify the schema explicitely).  The
> function current_schema() will tell you in which one a
> newly created table will go.
>
> Regards
>    Oliver
>
> --
> Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
>
> "... there are two ways of constructing a software design:  One way
> is to make it so simple that there are _obviously_ no deficiencies and
> the other way is to make it so complicated that there are no _obvious_
> deficiencies."        -- C.A.R. Hoare, ACM Turing Award Lecture, 1980
>


Re: Modifying pg_shadow?

From
Oliver Fromme
Date:
Jason Hihn wrote:
 > Correct me if I'm wrong:
 > I can create payroll.accountname.* (d.s.t), but the login security can only
 > auth to database level. Meaning my schema security must fall upon
 > grant/revoke.

Right.  The default for a schema is that only the owner can
use it.  That might be already what you want.

 > I could then create payroll.tax (d.s), and set the search_path=account,tax
 > and share the same tax tables between all accounts.

I'm not sure if I understand what you mean.

By default, only the owner of the tax schema will be able
to see the tables inside.  To grant everyone access who can
connect to the payroll database, you would do something
like GRANT USAGE ON SCHEMA tax TO PUBLIC.  See the docs
on the GRANT command for details.

 > Any database table (database.table) is in the public schema,

Actually database.public.table.  There's nothing magic about
the "public" schema.  It's just the default.  You can even
drop it and work entirely with your own schemas.

 > with pg_*
 > ALWAYS avaible regardless of search_path. (so I could also do
 > payroll.taxtable{1,2,3} and still share but with search_path=account,public

The pg_* system tables are contained in a system schema
called pg_catalog.  It's explained in the docs.

The docs really aren't that bad.  You just have to read
them.  Repeatedly, if necessary.  ;-)

 > How is the pg_dump done when only done for a schema?
 > "pg_dump d.s"?

No, you have to name the tables of that schema, using the
-t option.

 > Looks like I have to u/g from 7.2 to 7.3 sooner than I thought. Any word on
 > 7.4? (Yeah, I know, "when its ready" but how ready does it look?)

I leave that answer to the experts.  :-)

Regards
   Oliver

--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"When your hammer is C++, everything begins to look like a thumb."
        -- Steve Haflich, in comp.lang.c++