Privileges

Started by Simon Riggsover 15 years ago2 messages

Simon Riggs

simon@2ndQuadrant.com

over 15 years ago

1 attachment(s)

There is a command to set privileges

GRANT SELECT ON ALL TABLES IN SCHEMA foo TO PUBLIC;

and a command to set default privileges

ALTER DEFAULT PRIVILEGES IN SCHEMA foo
GRANT SELECT ON TABLES TO PUBLIC;

In the first command the ALL is required, whereas in the second command
the ALL must be absent.

ISTM that the ALL should be optional in both cases.
Same thing is true for FUNCTIONS and SEQUENCES.

Both options are new in 9.0.

Any objections to implementing this simple patch?

--
Simon Riggs www.2ndQuadrant.com

Attachments:

optional_all.patchtext/x-patch; charset=UTF-8; name=optional_all.patchDownload

*** a/src/backend/parser/gram.y
--- b/src/backend/parser/gram.y
***************
*** 4658,4663 **** privilege_target:
--- 4658,4671 ----
  					n->objs = $2;
  					$$ = n;
  				}
+ 			| TABLES IN_P SCHEMA name_list
+ 				{
+ 					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
+ 					n->targtype = ACL_TARGET_ALL_IN_SCHEMA;
+ 					n->objtype = ACL_OBJECT_RELATION;
+ 					n->objs = $4;
+ 					$$ = n;
+ 				}
  			| ALL TABLES IN_P SCHEMA name_list
  				{
  					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
***************
*** 4666,4671 **** privilege_target:
--- 4674,4687 ----
  					n->objs = $5;
  					$$ = n;
  				}
+ 			| SEQUENCES IN_P SCHEMA name_list
+ 				{
+ 					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
+ 					n->targtype = ACL_TARGET_ALL_IN_SCHEMA;
+ 					n->objtype = ACL_OBJECT_SEQUENCE;
+ 					n->objs = $4;
+ 					$$ = n;
+ 				}
  			| ALL SEQUENCES IN_P SCHEMA name_list
  				{
  					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
***************
*** 4674,4679 **** privilege_target:
--- 4690,4703 ----
  					n->objs = $5;
  					$$ = n;
  				}
+ 			| FUNCTIONS IN_P SCHEMA name_list
+ 				{
+ 					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
+ 					n->targtype = ACL_TARGET_ALL_IN_SCHEMA;
+ 					n->objtype = ACL_OBJECT_FUNCTION;
+ 					n->objs = $4;
+ 					$$ = n;
+ 				}
  			| ALL FUNCTIONS IN_P SCHEMA name_list
  				{
  					PrivTarget *n = (PrivTarget *) palloc(sizeof(PrivTarget));
***************
*** 4869,4877 **** DefACLAction:
  		;
  
  defacl_privilege_target:
! 			TABLES			{ $$ = ACL_OBJECT_RELATION; }
! 			| FUNCTIONS		{ $$ = ACL_OBJECT_FUNCTION; }
! 			| SEQUENCES		{ $$ = ACL_OBJECT_SEQUENCE; }
  		;
  
  
--- 4893,4904 ----
  		;
  
  defacl_privilege_target:
! 			ALL		TABLES			{ $$ = ACL_OBJECT_RELATION; }
! 			|		TABLES			{ $$ = ACL_OBJECT_RELATION; }
! 			| ALL	FUNCTIONS		{ $$ = ACL_OBJECT_FUNCTION; }
! 			| 	 	FUNCTIONS		{ $$ = ACL_OBJECT_FUNCTION; }
! 			| ALL	SEQUENCES		{ $$ = ACL_OBJECT_SEQUENCE; }
! 			| 		SEQUENCES		{ $$ = ACL_OBJECT_SEQUENCE; }
  		;

Tom Lane

tgl@sss.pgh.pa.us

over 15 years ago

In reply to: Simon Riggs (#1)

Re: Privileges

Simon Riggs <simon@2ndQuadrant.com> writes:

There is a command to set privileges

GRANT SELECT ON ALL TABLES IN SCHEMA foo TO PUBLIC;

and a command to set default privileges

ALTER DEFAULT PRIVILEGES IN SCHEMA foo
GRANT SELECT ON TABLES TO PUBLIC;

In the first command the ALL is required, whereas in the second command
the ALL must be absent.

ISTM that the ALL should be optional in both cases.

I don't believe this is a good idea. ALL in the second statement would
give a completely misleading impression, because it does *not* grant
privileges on all tables, in particular it doesn't affect existing
tables. Conversely, leaving out ALL in the first statement would limit
our flexibility to insert additional options there in future. (ALL is a
fully reserved word, TABLES isn't, so your proposal greatly increases
the odds of future syntactic conflicts.)

regards, tom lane