Ok, I've taken a quick look at this too. My first impression is that this is actually not a very big patch. Much much smaller than I was afraid of. It seems that dropping the row-level security and the other change you've already done have helped a great deal.

My first question is, why does the patch need the walker implementation to gather all the accessed tables and columns? Can't you hook into the usual pg_xxx_aclcheck() functions? In fact, Peter asked that same question here: http://archives.postgresql.org/pgsql-hackers/2009-01/msg02295.php (among other things). Many things have changed since, but I don't think that question has been adequately answered. Different handling of permissions on views was mentioned, but I think that could be handled with just a few extra checks in the rewriter or executor.

The hooks in simple_heap_insert also seem a bit weird. Perhaps an artifact of the row-level security stuff that's no longer there. ISTM that setting the defaults should be done in the same places where the defaults for acl columns are filled, e.g in ProcedureCreate.

PS. s/proselabal/proselabel

--
  Heikki Linnakangas
  EnterpriseDB   http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to