[cap-talk] capabilities in relational databases
Sam Mason
sam at samason.me.uk
Sat Apr 12 11:29:34 CDT 2008
On Sat, Apr 12, 2008 at 02:51:14PM +0100, I wrote:
> I think PostgreSQL provides a set of tools that allows something
> similar to caps.
Just thought to check about delegation and yes, PG supports this as
well. I can create a user charlie:
a: CREATE ROLE charlie;
Bob can then create his own view and grant it to charlie:
b: CREATE VIEW vb AS SELECT * FROM vt;
b: GRANT SELECT ON vb TO charlie;
Charlie can then get out whatever Bob can see while not having
permission to view t:
c: SELECT * FROM vb;
n
---
1
2
(2 rows)
c: SELECT * FROM t;
ERROR: permission denied for relation t
Unfortunately there's still a big mutable namespace, but it's looking
more and more like a protected capability system to me.
Sam
More information about the cap-talk
mailing list