On Tue, Jun 17, 2014 at 10:06 PM, Stephen Frost <sfr...@snowman.net> wrote: > * Robert Haas (robertmh...@gmail.com) wrote: >> On Fri, Jun 13, 2014 at 3:11 AM, Dean Rasheed <dean.a.rash...@gmail.com> >> wrote: >> > Yeah, I was thinking something like this could work, but I would go >> > further. Suppose you had separate GRANTable privileges for direct >> > access to individual tables, bypassing RLS, e.g. >> > >> > GRANT DIRECT SELECT|INSERT|UPDATE|DELETE ON table_name TO role_name >> >> So, is this one new privilege (DIRECT) or four separate new privileges >> that are variants of the existing privileges (DIRECT SELECT, DIRECT >> INSERT, DIRECT UPDATE, DIRECT DELETE)? > > I had taken it to be a single privilege, but you're right, it could be > done for each of those.. I really don't think we have the bits for more > than one case here though (if that) without a fair bit of additional > rework. I'm not against that rework (and called for it wayyy back when > I proposed the TRUNCATE privilege, as I recall) but that's a whole > different challenge and no small bit of work..
Technically, there are 4 bits left, and that's what we need for separate privileges. We last consumed bits in 2008 (for TRUNCATE) and 2006 (for GRANT ON DATABASE), so even if we used all of the remaining bits it might be another 5 years before anyone has to do that refactoring. But even if the refactoring needs to be done now for some reason, it's only June, and the last CommitFest doesn't start until February 15th. I think we're being way too quick to jump to talking about what can and can't be done in time for 9.5. Let's start by figuring out how we'd really like it to work and then, if it's too ambitious, we can scale it back. My main concern about using only one bit is that someone might want to allow a user to bypass RLS on SELECT while still enforcing it for data-modifying operations. That seems like a plausible use case to me. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers