Re: Updates of SE-PostgreSQL 8.4devel patches (r1168)

KaiGai Kohei wrote:
> > OK.  I am wondering if we _want_ two ways to set column permisions,
> > especially since I think there will be only one way to set row-level
> > permissions.
> 
> I think we should not see the feature from only the viewpoint
> of granularity in access controls. The both of new security
> features (sepgsql and rowacl) are enhanced security features,
> but the Stephen's efforts is one of the core features based on
> SQL-standard and enabled in the default.  Please pay mention
> that any given queries have to be checked by the core facility,
> and can be checked by the enhanced one if enabled.
> 
> The PGACE security framework enables us to implement various
> kind of enhanced security features, and has two guest facilities
> now. They can have its own security model and granularities as
> a part of its design.  The one has its granularities with some
> of overlaps on tables/columns/functions, and the other also has
> its granularity without overlaps because its purpose is supplement
> of the core security facilities.
> 
> So, it is not a strange design there is only one way to set
> row-level permissions, because the current SQL-standard does
> not have its specifications and no core facilities are here.
> If the future version of PostgreSQL got a newer row-level
> permissions defined within SQL-standard, I think there should
> be two ways to set row-level ones for both of the core and
> enhanced.

OK, I understand.  Thanks.

-- Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +