From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Application name patch - v2 |
Date: | 2009-10-19 10:39:58 |
Message-ID: | 937d27e10910190339h4fedfbd8l6c851e5f3a45e76f@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Oct 19, 2009 at 11:21 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>> A user can do that anyway if query logging is turned on, but anyway,
>> what would you suggest - accept a-zA-Z0-9 and a few other choice
>> characters only, or just reject a handful (and if so, what)?
>
> Well, either you make the thing wide open and thus pretty insecure and
> unreliable, or you put in arbitrary limits which will possibly upset
> many users, or you design some fairly complex rules about what is
> allowed or not in what context.
>
> At which point you might realize that you can pretty much do all of this
> already in a much better way: Create a user account for each application
> or group of applications and assign them the roles that you are
> currently using as login users. The user names already show up in all
> the places that people want: ps, log, activity tables. And moreover,
> the admin can control exactly who is allowed to use what user name in
> what context, so there is no log spamming or confusing one's identity.
Excuse me one moment whilst I pick myself up from the floor :-)
Can you imagine what a maintenance nightmare that would soon become? I
might need a role for running the nightly backup, one for a weekly
backup, one for each of a dozen data import/export tasks. What about a
system supporting multiple applications? I used to have a dozen or
more running on one server, with a hundred plus users, many of whom
used 2 or 3 applications, some of who would also use reporting tools
such as Crystal Reports in addition to the primary application. I'd
need to give those users half a dozen or more roles each (which
probably won't work nicely in my SSO environment).
Please bear in mind that this feature is based on similar features in
other DBMSs (and in fact, a feature in the JDBC spec) that people have
asked for on a number of occasions. It's not a random idea I've come
up with - my aim is to create a comparable feature to that which
people may be accustomed to, in a secure and PostgreSQL-applicable
way.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Stehule | 2009-10-19 11:33:16 | Re: Application name patch - v2 |
Previous Message | Peter Eisentraut | 2009-10-19 10:21:22 | Re: Application name patch - v2 |