Re: New patch for Column-level privileges

Поиск
Список
Период
Сортировка
От Jaime Casanova
Тема Re: New patch for Column-level privileges
Дата
Msg-id 3073cc9b0901072141j35c67ex1fede7ce4a9f2dab@mail.gmail.com
обсуждение исходный текст
Ответ на Re: New patch for Column-level privileges  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Ответы Re: New patch for Column-level privileges
Список pgsql-hackers
Дерево обсуждения 
On Wed, Jan 7, 2009 at 1:46 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:
>
> The attached patch is a proof of the concept.
> It walks on a given query tree to append accessed columns on
> rte->cols_sel and rte->cols_mod.
> When aliasvar of JOIN'ed relation is accesses, its source is
> appended on the list.
>

for my test i created to tables:

CREATE TABLE t1 (col1 int primary key, col2 int);
CREATE TABLE t2 (col1 int references t1);

and a role:

CREATE ROLE rol1;

then i granted all cols in the table to the role:

GRANT SELECT (col1) ON t1 TO rol1;
GRANT SELECT (col2) ON t1 TO rol1;
GRANT SELECT (col1) ON t2 TO rol1;

prueba=> \dp                             Access privilegesSchema | Name | Type  |     Access privileges     | Column
Accessprivileges 
--------+------+-------+---------------------------+--------------------------public | t1   | table |
postgres=arwdDxt/postgres| col1                                                  :   postgres=arw/postgres
                                   :   rol1=r/postgres                                                  : col2
                                       :   postgres=arw/postgres                                                  :
rol1=r/postgrespublic| t2   | table | postgres=arwdDxt/postgres | col1
:  postgres=arw/postgres                                                  :   rol1=r/postgres 
(2 rows)


then i execute:

prueba=> select t1.* from t1, t2 where t1.col1 = t2.col1;
NOTICE:  pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002
NOTICE:  pg_attribute_aclmask: t1.col2 required: 0002 allowed: 0002
NOTICE:  pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002
NOTICE:  pg_attribute_aclmask: t2.col1 required: 0002 allowed: 0002col1 | col2
------+------
(0 rows)

good, but if i doesn't include filter conditions:

prueba=> select t1.* from t1, t2;
NOTICE:  pg_attribute_aclmask: t1.col1 required: 0002 allowed: 0002
NOTICE:  pg_attribute_aclmask: t1.col2 required: 0002 allowed: 0002
ERROR:  permission denied for relation t2

is this intended?



--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Asesoría y desarrollo de sistemas
Guayaquil - Ecuador
Cel. +59387171157

В списке pgsql-hackers по дате отправления: