Am Mittwoch, 7. Mai 2008 schrieb Tom Lane: > >> 1.1 Add a column named 'attrel' in pg_attribute catalog to store > >> column privileges. Now all column privileges are stored, no matter > >> whether they could be implied from table-level privilege. > > What this actually means, but doesn't say, is that there's no > table-level representation of INSERT/UPDATE privilege any more at all. > I think this is a pretty fundamental design error. In the first place > it bloats pg_attribute with data that's entirely redundant for the > "typical" case where per-column privileges aren't used. In the > second place it slows privilege checking for the typical case, since > instead of one check for the relation you have to do one for each > attribute. There are some other problems too, like having to extend > pg_shdepend to include an objsubid column, and some other places where > the patch has to do awkward things because it's now lacking table-level > information about privilege checks.
I haven't read the patch, but there is also a semantic issue, namely what happens to columns added after the grant. If the GRANT was to the table, new columns should get the same privileges. -- Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-patches