Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Jim Nasby
On 2/22/17 2:51 AM, Pavel Stehule wrote: The solution based on rights is elegant, but in this moment I cannot to see all possible impacts on performance - because it means new check for any call of any function. Maybe checking call stack can be good enough - I have not idea how often use case it

Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Joel Jacobson
On Wed, Feb 22, 2017 at 2:18 PM, Tom Lane wrote: > I think this is really *not* a good idea. The entire permissions model > is built around granting permissions to roles, by other roles. My bad. I shouldn't have proposed the idea on how to achieve/implement the idea. I

Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Tom Lane
Joel Jacobson writes: > Currently, it's only possible to grant/revoke execute on functions to roles. > I think it would be useful in many situations, both for documentation > purposes, > but also for increased security, to in a precise way control what > other function(s) are

Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Pavel Stehule
2017-02-22 9:20 GMT+01:00 Joel Jacobson : > On Wed, Feb 22, 2017 at 9:07 AM, Pavel Stehule > wrote: > > Usage of X functions can be locked in schema. > > I think that's also a good idea. Both are useful I think. They solve > two different use-cases. > >

Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Joel Jacobson
On Wed, Feb 22, 2017 at 9:07 AM, Pavel Stehule wrote: > Usage of X functions can be locked in schema. I think that's also a good idea. Both are useful I think. They solve two different use-cases. If there are multiple callers of a private function within a schema, it

Re: [HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-22 Thread Pavel Stehule
2017-02-22 8:06 GMT+01:00 Joel Jacobson : > Hi Hackers, > > Currently, it's only possible to grant/revoke execute on functions to > roles. > > I think it would be useful in many situations, both for documentation > purposes, > but also for increased security, to in a precise way

[HACKERS] GRANT EXECUTE ON FUNCTION foo() TO bar();

2017-02-21 Thread Joel Jacobson
Hi Hackers, Currently, it's only possible to grant/revoke execute on functions to roles. I think it would be useful in many situations, both for documentation purposes, but also for increased security, to in a precise way control what other function(s) are allowed to execute a specific function.