Re: [PATCH] DefaultACLs
| От | Petr Jelinek |
|---|---|
| Тема | Re: [PATCH] DefaultACLs |
| Дата | |
| Msg-id | 4AC5CAE8.4070701@pjmodos.net обсуждение исходный текст |
| Ответ на | Re: [PATCH] DefaultACLs (Robert Haas <robertmhaas@gmail.com>) |
| Ответы |
Re: [PATCH] DefaultACLs
|
| Список | pgsql-hackers |
Robert Haas napsal(a): <blockquote cite="mid:603c8f070910011820w5ed09055n399811239af4ba0c@mail.gmail.com" type="cite"><prewrap="">On Thu, Oct 1, 2009 at 1:37 PM, Tom Lane <a class="moz-txt-link-rfc2396E" href="mailto:tgl@sss.pgh.pa.us"><tgl@sss.pgh.pa.us></a>wrote: </pre><blockquote type="cite"><pre wrap="">Petr Jelinek<a class="moz-txt-link-rfc2396E" href="mailto:pjmodos@pjmodos.net"><pjmodos@pjmodos.net></a> writes: </pre><blockquotetype="cite"><pre wrap="">because it seems like merging privileges seems to be acceptable for most (although I am not sure I like it, but I don't have better solution for managing conflicts), I changed the patch to do just that. </pre></blockquote><pre wrap="">It's not clear to me whetherwe have consensus on this approach. Last chance for objections, anyone? The main argument I can see against doing it this way is that it doesn't provide a means for overriding the hard-wired public grants for object types that have such (principally functions). I think that a reasonable way to address that issue would be for a follow-on patch that allows changing the hard-wired default privileges for object types. It might well be that no one cares enough for it to matter, though. I think that in most simple cases what's needed is a way to add privileges, not subtract them --- and we're already agreed that this mechanism is only meant to simplify simple cases. </pre></blockquote><pre wrap=""> I'm going to reiterate what I suggested upthread... let's let the default, global default ACL contain the hard-wired privileges, instead of making them hardwired. Then your objects will get those privileges not because they are hard-wired, but because you haven't changed your global default ACL to not contain them. </pre></blockquote><br /> That's somewhat how I implemented it although not juston global level but in any single filter, what we now have as defaults (before this patch) is used as template for defaultacls and you can revoke it. You just can't revoke anything you granted anywhere in the default acls chain.<br /><br/><pre class="moz-signature" cols="72">-- Regards Petr Jelinek (PJMODOS)</pre>
В списке pgsql-hackers по дате отправления: