Greetings, * Alvaro Herrera (alvhe...@alvh.no-ip.org) wrote: > On 2021-Nov-08, Stephen Frost wrote: > > > * Alvaro Herrera (alvhe...@alvh.no-ip.org) wrote: > > > > That said, if the list is short, then additional predefined roles seem > > > preferrable to having a ton of infrastructure code that might be much > > > more clutter than what seems a short list of additional predefined roles. > > > > None of this strikes me as a 'ton of infrastructure code' and so I'm not > > quite sure I'm following the argument being made here. > > I was referring specifically to Andres' idea of having additional DDL > commands handled as special GRANTable privileges, > https://postgr.es/m/20211104224636.5qg6cfyjkw52r...@alap3.anarazel.de
Ah, thanks, I had seen that but didn't quite associate it to this comment. Perhaps not a surprise, but I tend to favor predefined roles for these kinds of things. If we do want to revamp how GRANT works, I'd argue for first splitting up the way we handle privileges to be on a per-object-type basis and once we did that then we could extend that to allow GRANT on commands more easily (and with more variety as to what privileges a GRANT on a command could be). It's kind of cute to have one bitmap covering all objects but it puts us into a place where extending what can be GRANT'd on one kind of object necessarily impacts our ability to GRANT on other kinds (eg: we have a bit reserved for TRUNCATE in the same bitmask for a schema as we do for a table, but we don't allow TRUNCATE on schemas and probably never will). Thanks, Stephen
signature.asc
Description: PGP signature