Thread

  1. AW: Proposal for enhancements of privilege system

    Zeugswetter Andreas SB <zeugswettera@wien.spardat.at> — 2000-05-30T11:39:17Z

    > > Imho this is an area where it does make sense to look at what other
    > > db's do, because it makes the toolwriters life so much easier if pg
    > > behaves like some other common db.
    > 
    > The defined interface to the privilege system is GRANT, REVOKE, and
    > "access denied" (and a couple of INFORMATION_SCHEMA views, 
    > eventually).
    > I don't see how other db's play into this.
    
    Of course the grant revoke is the same. But administrative tools usually
    allow you to dump schema, all rights, triggers ... for an object and thus
    need 
    access to the system tables containing the grants.
    
    > 
    > > Other db's usually use a char array for priaction and don't have
    > > priisgrantable, but code it into priaction. Or they use a bitfield.
    > > This has the advantage of only producing one row per table.
    > 
    > That's the price I'm willing to pay for abstraction, 
    > extensibility, and
    > verifyability. But I'm open for better ideas.
    
    Imho this is an area that is extremly sensitive to performance,
    the rights have to be checked for each access.
    
    Andreas
    
    
  2. Re: AW: Proposal for enhancements of privilege system

    Karel Zak <zakkr@zf.jcu.cz> — 2000-05-30T11:46:09Z

    On Tue, 30 May 2000, Zeugswetter Andreas SB wrote:
    
    > > 
    > > > Other db's usually use a char array for priaction and don't have
    > > > priisgrantable, but code it into priaction. Or they use a bitfield.
    > > > This has the advantage of only producing one row per table.
    > > 
    > > That's the price I'm willing to pay for abstraction, 
    > > extensibility, and
    > > verifyability. But I'm open for better ideas.
    > 
    > Imho this is an area that is extremly sensitive to performance,
    > the rights have to be checked for each access.
    
     Yes, but I believe that Peter's idea is good. System tables are used for
    each access not only for ACL, and performance problem is a problem for
    system cache not primary for privilege system.
    
     I look forward set privilege for columns and functions. Large multiuser
    projects need it.
    
    							Karel
    
    
    
  3. Re: AW: Proposal for enhancements of privilege system

    Peter Eisentraut <e99re41@docs.uu.se> — 2000-05-30T11:49:40Z

    On Tue, 30 May 2000, Zeugswetter Andreas SB wrote:
    
    > Of course the grant revoke is the same. But administrative tools
    > usually allow you to dump schema, all rights, triggers ... for an
    > object and thus need access to the system tables containing the
    > grants.
    
    That's what you use the information schema views for. Also, of course,
    we're light years away from having anything like a portable pg_dump.
    
    > Imho this is an area that is extremly sensitive to performance, the
    > rights have to be checked for each access.
    
    But using some sort of arrays is going to make it slower in any case since
    you can't use indexes on those.
    
    
    -- 
    Peter Eisentraut                  Sernanders väg 10:115
    peter_e@gmx.net                   75262 Uppsala
    http://yi.org/peter-e/            Sweden