Re: Proposal for enhancements of privilege system

Peter Eisentraut wrote:

> pg_privilege (
>     priobj oid,
>     prigrantor oid,
>     prigrantee oid,
>     priaction char,
>     priisgrantable boolean,
> 
>     primary key (priobj, prigrantee, priaction)
> )
> 

I like it.

> The straightforward choice would be to store a single reference to
> pg_class when the privilege describes the whole table, and
> pg_attribute references when only specific columns are named. That
> would mean the lookup routine will first look for a pg_class.oid entry
> and, failing that, then for possible pg_attribute.oid entries for the
> columns that it's interested in. This is of course suboptimal when no
> privilege exists in the first place but that is not necessarily the case
> we're optimizing for.

Don't worry about performance for the access denied case. That is going
to be outweighed 1000:1 by the access allowed case. Go for the clean
solution.