Re: [PATCHES] Users/Groups -> Roles

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > Tom, if you're watching, are you working on this? I can probably spend
> > some time today on it, if that'd be helpful.
>
> I am not; I was hoping you'd deal with SET ROLE. Is it really much
> different from SET SESSION AUTHORIZATION?

No, it's not, but it's going to need to be done carefully to make sure
GetUserId() returns the correct thing at the correct time and that the
other GetSessionUserId() calls are only used where they should be and
that they return the correct information too.

I'll work on SET ROLE and the associated CURRENT_* functions and
information_schema today and tommorow.

> > I'm pretty sure others have been asking about per-catalog users and if
> > we're going to accept that per-catalog roles makes sense I'd really
> > think per-catalog users would too.
>
> We really can't do this. Especially not 3 days before feature freeze.

Right, I wasn't expecting that to be done in this round. It's something
people have asked for though and so might be something to consider for
8.2. I'm hoping your work on CREATEROLE will stem some of that demand
for per-catalog users/roles actually. I've been trying to think what
else per-catalog users/roles would get us besides a segmented namespace.
I think one big issue is that we don't have a 'usage' database check
beyond pg_hba and so any user could get the schema definitions for any
database, which kind of sucks. Is that maybe something we could try to
address for 8.1?

Thanks,

Stephen