Re: SE-PostgreSQL Specifications

Stephen Frost wrote:
> KaiGai,
> 
> * KaiGai Kohei (kaigai@ak.jp.nec.com) wrote:
>> I began to describe the list of abstraction layer functions (but not completed yet):
>>   http://wiki.postgresql.org/wiki/SEPostgreSQL_Abstraction
> 
> I'm not really a huge fan of 'security_' as a prefix for these
> functions, but I don't have a better suggestion right now.

If so, 'pgsec_' (PostGresql SECutiry) instead?

> The initial abstraction patch shouldn't include the security context
> pieces.  I realize that will be needed eventually, but the patch to do
> the abstraction and to formally move permissions checking to aclchk.c
> needs to stand alone.  I'm also not sure that the API of having the
> security context be returned as a Datum makes sense..

OK, I'll add pieces corresponding to the security context on the second
patch (SE-PostgreSQL patch).

> Doesn't security_table_permissions() need to know if the query is an
> UPDATE or an INSERT?

Either ACL_UPDATE or ACL_INSERT should be set on the required_perms.
Both of them are never set in same time.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>