[HACHERS] privilege check: column level only?
| От | Golden Liu |
|---|---|
| Тема | [HACHERS] privilege check: column level only? |
| Дата | |
| Msg-id | 2d3034200706042139sb7d620bja9a9b9243cb91c28@mail.gmail.com обсуждение исходный текст |
| Ответы |
Re: [HACHERS] privilege check: column level only?
Re: [HACHERS] privilege check: column level only? |
| Список | pgsql-hackers |
Hello<br /><br />I'm one of the Google SoC's students for PostgreSQL. While reading sql92 standard, I found something likethis:<br /><br />11.36 <grant statement><br /> General Rules<br /> 3) For every identified privilegedescriptor whose action is <br /> SELECT, INSERT, UPDATE, or REFERENCES without a column name,<br /> privilege descriptors are also created for each column C in O<br /> for which A holds the correspondingprivilege with grant op- <br /> tion. For each such column, a privilege descriptor is created<br/> that specifies the identical <grantee>, the identical <action>,<br /> objectC, and grantor A.<br /><br />According to this, column privilege descriptors are created automatically while tableprivilege descriptor is created. Then, while checking privilege, can I JUST check column level privilege? <br /><br/>Here is some examples.<br /><br />(1)<br /> CREATE TABLE t1 (c1 int, c2 int);<br /> GRANT SELECT ON t1TO grantee;<br /> REVOKE SELECT ON t1 (c1) FROM grantee;<br /> Now grantee has privilege on t1(c2) but NOT on t1(c1).Although grantee has privilege on t1, he still has no privilege on t1(c1). So checking column privilege is enough.We don't need to check table privilege. <br />(2)<br /> CREATE TABLE t1 (c1 int, c2 int);<br /> REVOKESELECT ON t1 FROM grantee;<br /> GRANT SELECT ON t1(c2) TO grantee;<br /> Here, still, grantee has privilegeon t1(c2) but NOT on t1(c1). (Is this right?) Although grantee has no privilege on t1, he can has privilege on t1(c1).Here, again, checking column privilege is enough. <br /><br />Table privilege is useful when you add columns to atable. Whether grantee has privilege on the new columns depends on whether he has privilege on the table.<br /><br />Anyand all help and/or comment is appreciated. From sql standard, I found no information on how privilege check shouldbe done. <br /><br />Thanks.<br />Dong<br clear="all" /><br />-- <br />Guodong Liu<br />Database Lab, School of EECS,Peking University<br />Room 314, Building 42, Peking University, Beijing, 100871, China
В списке pgsql-hackers по дате отправления: