Re: System catalog representation of access privileges
| От | Bruce Momjian |
|---|---|
| Тема | Re: System catalog representation of access privileges |
| Дата | |
| Msg-id | 200105080019.f480J5i14460@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | System catalog representation of access privileges (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-hackers |
I have added this to the TODO as: * Allow better control over user privileges [privileges] and added the thread to TODO.detail. > Oldtimers might recall the last thread about enhancements of the access > privilege system. See > > http://www.postgresql.org/mhonarc/pgsql-hackers/2000-05/msg01220.html > > to catch up. > > It was more or less agreed that privilege descriptors should be split out > into a separate table for better flexibility and ease of processing. The > dispute was that the old proposal wanted to store only one privilege per > row. I have devised something more efficient: > > pg_privilege ( > priobj oid, -- oid of table, column, function, etc. > prigrantor oid, -- user who granted the privilege > prigrantee oid, -- user who owns the privilege > > priselect char, -- specific privileges follow... > prihierarchy char, > priinsert char, > priupdate char, > pridelete char, > prireferences char, > priunder char, > pritrigger char, > prirule char > /* obvious extension mechanism... */ > ) > > The various "char" fields would be NULL for not granted, some character > for granted, and some other character for granted with grant option (a > poor man's enum, if you will). Votes on the particular characters are > being taken. ;-) Since NULLs are stored specially, sparse pg_privilege > rows wouldn't take extra space. > > "Usage" privileges on types and other non-table objects could probably be > lumped under "priselect" (purely for internal purposes). > > For access we define system caches on these indexes: > > index ( priobj, prigrantee, priselect ) > index ( priobj, prigrantee, prihierarchy ) > index ( priobj, prigrantee, priinsert ) > index ( priobj, prigrantee, priupdate ) > index ( priobj, prigrantee, pridelete ) > > These are the privileges you usually need quickly during query processing, > the others are only needed during table creation. These indexes are not > unique (more than one grantor can grant the same privilege), but AFAICS > the syscache interface should work okay with this, since in normal > operation we don't care who granted the privilege, only whether you have > at least one. > > How does that look? > > -- > Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter > > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: