Thu Oct 2 10:54:29 PDT 2008
- Previous message: [Slony1-general] Method for discovering the origin of a set
- Next message: [Slony1-general] Method for discovering the origin of a set
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Brad Nicholson <bnichols at ca.afilias.info> writes: > On Thu, 2008-10-02 at 11:18 -0400, Bill Moran wrote: >> In response to "Vivek Khera" <vivek at khera.org>: >> >> > > Before I issue a GRANT to allow select rights on that table to anyone >> > > who tries, my questions are: >> > > * Is there any inherent danger in allowing SELECT on that table to >> > > normal users? >> > > * Is there a better way (I looked for a store procedure, such as >> > > getlocalnodeid(), but if it exists, I'm not seeing it in the docs) >> > >> > Can't you define a function that does that query and returns >> > true/false as necessary, and is declared as SECURITY DEFINER so that >> > it runs with sufficient privileges? >> >> That's what I'm doing ;) >> >> What I'm wondering now is if such a function doesn't really belong in >> the core of Slony's built in functions? > > I vote yes for a function that says "am I the origin of set x". > > As for putting in as a SECURITY DEFINER function, I vote no. Even > though I don't think that piece of data is overly sensitive, Slony > shouldn't make the decision to expose it to an unprivileged user - > that's a decision for the DBA to make. Actually, I think you're in "violent agreement," and don't realize it :-). SECURITY DEFINER actually *is* defined a lot for Slony-I functions, and I think it's apropos for this. Functions where SECURITY DEFINER is already indicated include: - denyaccess - getLocalNodeId - getModuleVersion - setSessionRole - getSessionRole - logTrigger It doesn't imply you're granting permission, just that we're indicating what role the function runs under. Granting access to the function is a separate thing; that always remains a decision for the DBA to make. -- output = reverse("gro.mca" "@" "enworbbc") http://linuxdatabases.info/info/spreadsheets.html Rules of the Evil Overlord #209. "I will not, under any circumstances, marry a woman I know to be a faithless, conniving, back-stabbing witch simply because I am absolutely desperate to perpetuate my family line. Of course, we can still date." <http://www.eviloverlord.com/>
- Previous message: [Slony1-general] Method for discovering the origin of a set
- Next message: [Slony1-general] Method for discovering the origin of a set
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Slony1-general mailing list