KaiGai Kohei wrote:
> > OK. I am wondering if we _want_ two ways to set column permisions,
> > especially since I think there will be only one way to set row-level
> > permissions.
>
> I think we should not see the feature from only the viewpoint
> of granularity in access controls. The both of new security
> features (sepgsql and rowacl) are enhanced security features,
> but the Stephen's efforts is one of the core features based on
> SQL-standard and enabled in the default. Please pay mention
> that any given queries have to be checked by the core facility,
> and can be checked by the enhanced one if enabled.
>
> The PGACE security framework enables us to implement various
> kind of enhanced security features, and has two guest facilities
> now. They can have its own security model and granularities as
> a part of its design. The one has its granularities with some
> of overlaps on tables/columns/functions, and the other also has
> its granularity without overlaps because its purpose is supplement
> of the core security facilities.
>
> So, it is not a strange design there is only one way to set
> row-level permissions, because the current SQL-standard does
> not have its specifications and no core facilities are here.
> If the future version of PostgreSQL got a newer row-level
> permissions defined within SQL-standard, I think there should
> be two ways to set row-level ones for both of the core and
> enhanced.
OK, I understand. Thanks.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +