Fine-grained privileges on every objects types

[bersace]

I'm sharing a proposal to manage fine-grained privileges in ldap2pg.

To manage privileges, ldap2pg loops on database and schema. But sometime, that would be nice to loop on other objects like table, views, procedures, etc.

An idea on this would be to be able to define generic object inspection:

postgres:
  object_queries:
    database: …
    schema: …
    object: …

When granting a privilege, one can append extra parameter. Matching object type will be used.

- grant:
    privilege: select_on_table
    database: …
    schema: …
    object: __all__

Privilges can use object type in grant and revoke queries:

privileges:
  select_on_table:
    grant: GRANT SELECT ON TABLE {object} IN SCHEMA {schema} TO {role};
    revoke: REVOKE SELECT ON TABLE {object} IN SCHEMA {schema} FROM {role};

__select_on_all_tables__ could be rewritten like this, saving huge query to inspect.

Feedback welcome :-)

[Dallery]

Hi,

I'm not sure, but this fonctionality (managing privileges on tables, views, etc.) is not implemented, is it ? I would like to manage SELECT, INSERT, etc. on some tables in some schemas, but i did not find in the documentation how do it. Could you please confirm if it is possible to manage tables, or not ? Because i have tried the syntax in your issue, but i got some errors.

Thanks

[bersace]

Hi @Dallery . ldap2pg does not manage per-object privilege. This issue is just an open discussion.

[bersace]

I'm wondering the performance cost of inspecting zillons of objects.