Thread

  1. Doc patch, further describe and-mask nature of the permission system

    Karl O. Pinc <kop@meme.com> — 2012-09-29T06:16:51Z

    Hi,
    
    The attached documentation patch further describes the 
    additive nature of the permission system.
    
    This patch makes some sweeping statements.  It needs
    review by someone who knows whats in all the corners.
    (I'm sure this would happen anyway, but it seems worth 
    mentioning.)
    
    
    Paragraph structure is:
    
    Describe permission semantics.  Provide example of a common 
    error (unchanged from pre-existing text.)  Generalize from 
    the example's lesson and provide correct process.  Show 
    the semantics apply uniformly throughout Postgres.
    
    Regards,
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein
    
    
  2. Re: Doc patch, further describe and-mask nature of the permission system

    Karl O. Pinc <kop@meme.com> — 2012-09-29T07:28:40Z

    On 09/29/2012 01:16:51 AM, Karl O. Pinc wrote:
    
    > The attached documentation patch further describes the 
    > additive nature of the permission system.
    
    Attached a second patch, applied after the
    first, to extend the discussion
    further regards roles.
    
    
    (Original patch attached for reference.)
    
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein
    
    
  3. Re: Doc patch, further describe and-mask nature of the permission system v2

    Karl O. Pinc <kop@meme.com> — 2012-10-01T14:05:32Z

    On 09/29/2012 02:28:40 AM, Karl O. Pinc wrote:
    > On 09/29/2012 01:16:51 AM, Karl O. Pinc wrote:
    > 
    > > The attached documentation patch further describes the 
    > > additive nature of the permission system.
    > 
    > Attached a second patch, applied after the
    > first, to extend the discussion
    > further regards roles.
    
    Found a typo in the second patch.  Resending
    the original first patch and a v2 of the second.
    
    
    
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein
    
    
  4. Re: Doc patch, further describe and-mask nature of the permission system

    Peter Eisentraut <peter_e@gmx.net> — 2012-11-14T02:50:55Z

    On Sat, 2012-09-29 at 01:16 -0500, Karl O. Pinc wrote:
    > This patch makes some sweeping statements.
    
    Unfortunately, they are wrong.  What you term the additive nature is
    really only a special case in the relationship between table and column
    privileges.  Schema and database privileges are completely separate
    things.
    
    
    
    
  5. Re: Doc patch, further describe and-mask nature of the permission system

    Karl O. Pinc <kop@meme.com> — 2012-11-14T20:35:54Z

    On 11/13/2012 08:50:55 PM, Peter Eisentraut wrote:
    > On Sat, 2012-09-29 at 01:16 -0500, Karl O. Pinc wrote:
    > > This patch makes some sweeping statements.
    > 
    > Unfortunately, they are wrong.
    
    I will see if anything can be salvaged.
    
    Regards,
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein
    
    
    
    
  6. Re: Doc patch, further describe and-mask nature of the permission system

    Karl O. Pinc <kop@meme.com> — 2012-12-11T02:48:46Z

    On 11/14/2012 02:35:54 PM, Karl O. Pinc wrote:
    > On 11/13/2012 08:50:55 PM, Peter Eisentraut wrote:
    > > On Sat, 2012-09-29 at 01:16 -0500, Karl O. Pinc wrote:
    > > > This patch makes some sweeping statements.
    > > 
    > > Unfortunately, they are wrong.
    > 
    > I will see if anything can be salvaged.
    
    Here's another try.
    (I bundled changes to both paragraphs into a single
    patch.)
    
    grants-of-roles-are-additive_v3.patch
    
    Regards,
    
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein
    
    
  7. Re: Doc patch, further describe and-mask nature of the permission system

    Peter Eisentraut <peter_e@gmx.net> — 2012-12-16T06:56:22Z

    On Mon, 2012-12-10 at 20:48 -0600, Karl O. Pinc wrote:
    > On 11/14/2012 02:35:54 PM, Karl O. Pinc wrote:
    > > On 11/13/2012 08:50:55 PM, Peter Eisentraut wrote:
    > > > On Sat, 2012-09-29 at 01:16 -0500, Karl O. Pinc wrote:
    > > > > This patch makes some sweeping statements.
    > > > 
    > > > Unfortunately, they are wrong.
    > > 
    > > I will see if anything can be salvaged.
    > 
    > Here's another try.
    > (I bundled changes to both paragraphs into a single
    > patch.)
    > 
    > grants-of-roles-are-additive_v3.patch
    
    I don't get the point of this change, especially why you are trying to
    liken the roles system to the object hierarchy, when they are clearly
    different and unrelated.
    
    
    
    
    
  8. Re: Doc patch, further describe and-mask nature of the permission system

    Karl O. Pinc <kop@meme.com> — 2012-12-16T21:40:17Z

    On 12/16/2012 12:56:22 AM, Peter Eisentraut wrote:
    > On Mon, 2012-12-10 at 20:48 -0600, Karl O. Pinc wrote:
    > > On 11/14/2012 02:35:54 PM, Karl O. Pinc wrote:
    > > > On 11/13/2012 08:50:55 PM, Peter Eisentraut wrote:
    > > > > On Sat, 2012-09-29 at 01:16 -0500, Karl O. Pinc wrote:
    > > > > > This patch makes some sweeping statements.
    > > > > 
    > > > > Unfortunately, they are wrong.
    > > > 
    > > > I will see if anything can be salvaged.
    > > 
    > > Here's another try.
    > > (I bundled changes to both paragraphs into a single
    > > patch.)
    > > 
    > > grants-of-roles-are-additive_v3.patch
    > 
    > I don't get the point of this change, especially why you are trying 
    > to
    > liken the roles system to the object hierarchy, when they are clearly
    > different and unrelated.
    
    It seems to me the that the permission system follows the object system
    hierarchy in those cases where different levels of the object
    hierarchy may have identical permissions.  The exceptions being
    permissions like USAGE, which seems to be a convenient common lexical
    token but mean (and need to mean) something entirely different
    at each level of the object hierarchy.   ALL is also confuses the
    issue, since it means "all permissions which work at this level
    of the object hierarchy" and not "all permissions" so, say,
    granting ALL to a database says nothing about INSERT permission.
    
    I'm (clearly) not steeped in the pg permission system, but it
    does seem that where permissions are "shared" between levels
    of the object hierarchy there is a consistency in the
    resulting interaction when granting/revoking at different
    levels of the object hierarchy.  Perhaps this is ipso facto
    (counterexamples being automatically designated as
    "not shared" by nature of the premise :)
    or perhaps more an artifact of my attention than the
    result of any sort of design.  Anyway, my intent is to point
    out this consistency.  Since the way in which interactions
    between permissions set at different levels of the object
    hierarchy is sometimes useful I go on to describe how to
    replicate the behavior and apply it outside the object
    hierarchy.
    
    In any case I thought the elaboration would be helpful.  
    I had a few minutes and cooked it up.  If you don't don't think
    it should go in then reject it.  As noted already in the
    docs, permissions are different at different levels of the
    object hierarchy, but similar enough to describe in one place.
    I was hoping to provide a possible framework for thinking
    about permission interactions between object hierarchy levels 
    where such occur.  Without any sort of framework everything
    becomes a special case and it's hard to keep track of.
    
    Thanks for spending time on it.  If there's anything about
    it that appeals then I will continue to work under
    your direction.
    
    Regards,
    
    Karl <kop@meme.com>
    Free Software:  "You don't pay back, you pay forward."
                     -- Robert A. Heinlein