2011/11/26 Dimitri Fontaine <[email protected]>: > Kohei KaiGai <[email protected]> writes: >> We still don't have clear direction of the way to implement external >> permission >> checks on object creation time. So, please consider these patches are on the >> proof-of-concept stage; using prep-creation-hook to permission checks. > > I wonder if you could implement that as an extension given the command > trigger patch finds its way in. What do you think? > Unfortunately, it does not solve my point.
My proposition allows an extension to deliver an opaque value being set up at the prep-creation hook into post-creation hook. It shall be used to deliver a security label to be assigned on the new object, however, it is unavailable to assign on prep-creation phase, because its object-id is not fixed yet. (It is not an option to ask operating system a default security label of the new object twice, because security policy may be reloaded between prep- and post-.) It is also reason why I mentioned about an idea that put prep-creation hook on a limited number of object classes only. It requires us code modification to maintain an opaque private between prep- and post- hooks. Thanks, -- KaiGai Kohei <[email protected]> -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
