On Sun, Aug 12, 2018 at 10:40:30PM -0400, Robert Haas wrote:
> On Wed, Aug 8, 2018 at 1:15 PM, Tom Lane wrote:
> > If we had, say, a catalog that provided the desired list of trusted roles
> > for every role, then we could imagine implementing that context change
> > automatically. Likewise, stuf
On Wed, Aug 8, 2018 at 1:15 PM, Tom Lane wrote:
> that they had to worry about this themselves. Of the various ideas that
> we'd kicked around and not been able to finish, the one that seemed most
> promising to me was to invent a "function trust" mechanism.
In the interest of giving credit wher
On Thu, Aug 9, 2018 at 06:18:16PM -0400, David Kohn wrote:
> We certainly don't want to double-down on extending trust by allowing
> someone to modify someone else's trusted role list. Practically, if you
> are opening up permissions to someone, you will need to create a group
> t
On 9 August 2018 at 18:18, David Kohn wrote:
Anyway, I guess all of this seems to introduce a lot more complexity into
> an already complex permissions management system...is this all about the
> public schema? Can we just make create function/operator etc something you
> have to grant even in th
>
> We certainly don't want to double-down on extending trust by allowing
> someone to modify someone else's trusted role list. Practically, if you
> are opening up permissions to someone, you will need to create a group
> that you both belong to first, and have them trust the group, or they
> can
On Thu, Aug 9, 2018 at 04:01:09PM -0400, David Kohn wrote:
>
>
> On Thu, Aug 9, 2018 at 3:04 PM Bruce Momjian wrote:
>
>
>
> Well, right now, if you want to give members of a role rights to
> something, you have to specifically grant rights to that role. I would
> assume the sam
On Thu, Aug 9, 2018 at 3:04 PM Bruce Momjian wrote:
>
>
> Well, right now, if you want to give members of a role rights to
> something, you have to specifically grant rights to that role. I would
> assume the same thing would happen here --- if you want to trust a group
> role, you have to menti
On Wed, Aug 08, 2018 at 01:15:38PM -0400, Tom Lane wrote:
> This is sort of a counter-proposal to Noah's discussion of search path
> security checking in <20180805080441.gh1688...@rfd.leadboat.com>.
> (There's no technical reason we couldn't do both things, but I think
> this'd be more useful to mo
On Thu, Aug 9, 2018 at 02:12:41PM -0400, David Kohn wrote:
> On Thu, Aug 9, 2018 at 12:11 PM Bruce Momjian wrote:
> I can't think of any other places we do transitive permissions, except
> for role membership. I don't see the logic in adding such transitivity
> to function/operator c
On Thu, Aug 9, 2018 at 12:11 PM Bruce Momjian wrote:
> ...
>
> > The things that we hadn't resolved, which is why this didn't get further
> > than POC stage, were
> >
> > (1) What's the mechanism for declaring trust? In this POC, it's just
> > a GUC that you can set to a list of role names, with
On Wed, Aug 8, 2018 at 01:15:38PM -0400, Tom Lane wrote:
> This is sort of a counter-proposal to Noah's discussion of search path
> security checking in <20180805080441.gh1688...@rfd.leadboat.com>.
> (There's no technical reason we couldn't do both things, but I think
> this'd be more useful to mo
11 matches
Mail list logo
