Re: row_security GUC, BYPASSRLS
| От | Adam Brightwell |
|---|---|
| Тема | Re: row_security GUC, BYPASSRLS |
| Дата | |
| Msg-id | CAKRt6CT-_GM4HUccOH0PyWfJxkedF9pi74j980h7VXyGA54hLA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: row_security GUC, BYPASSRLS (Adam Brightwell <adam.brightwell@crunchydatasolutions.com>) |
| Список | pgsql-hackers |
> I could also see a potential gap in such approach. Specifically, I > could see a case were there are two separate roles, one that is > entrusted with defining the policies but not able to create/modify > tables, and one with the opposite capability (I understand this to be > a fairly common use-case, at least at a system level). Since you > can't GRANT 'alter' rights to the table, then obviously the policy > definer would have to either be the owner of the table or a member of > the role that owns it, right? Given that, if by definition the policy > definer is not allowed to do anything other than define policies, then > obviously putting such a role in the table owners group would allow it > to do much more, correct? Actually, disregard, I forgot about "You must be the owner of a table to create or change policies for it." So that would obviously negate my concern. -Adam -- Adam Brightwell - adam.brightwell@crunchydatasolutions.com Database Engineer - www.crunchydatasolutions.com
В списке pgsql-hackers по дате отправления: