From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCHES] Users/Groups -> Roles |
Date: | 2005-06-30 14:17:39 |
Message-ID: | Pine.LNX.4.63.0506301514100.3461@sablons.cri.ensmp.fr |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
Dear Stephen,
Thanks again on working on this feature.
> Role right resolution starts from the user and then works backwards up
> the tree, with multi-level resolution. It wouldn't go past the logged
> in user since that's really where it starts.
ISTM that the starting point should *not* be the user, but the
CURRENT_ROLE, which must be something distinct: Even if I'm root, if a
'SET ROLE very_limited_privileges' is performed, then the privileges in
effect are those of the chosen role. That is what is told by section
4.34.1.1 "SQL-session authorization identifiers" of the SQL 2003 specs as
I understand it.
If the user is kind of a role, then I'm afraid the whole point may be
missed. But maybe not, it would depend on the implementation details.
>> So for me we should have per-cluser users as they where up to now,
>> per-catalog roles with the properties I described, and possibly
>> per-cluster group just for the sake of compatibility/simplicity of the
>> access control and managing group of users as a whole. ROLE should not
>> replace USER/GROUP. It should be added next to it.
>
> I don't see much point in having USER or GROUP when we have roles.
Indeed, if you have per-cluster ROLE, you don't need GROUP anymore.
If USER is per-cluster for connection management and ROLE per-catalog for
database access management, then you will need a per-cluster grouping
(say for pg_hba.conf...) which is just the current GROUP.
> Is there something specific that you feel can't be done with roles that
> could be done w/ USER/GROUP?
No, it is the reverse: I'm afraid that the way it seems to be heading, no
more will be done with role than with group before.
> Per-catalog roles is an interesting idea, but I'd tend to think that if
> you want per-catalog roles, you'd want per-catalog users too.
I'm fine with per-cluster users.
> I just went through the spec yesterday, check -hackers for my email
Ok, I'm going to look into that.
> about what CVS head supports vs. what's in the SQL spec. I don't see
> any particular reason why we wouldn't be able to fully support 'Basic
> roles' and 'Extended roles' in 8.1, I think we're quite close now...
I'm looking forward to the 'SET ROLE' implementation. If the
interpretation of the privileges is restricted to the current role, then
I'll be happy.
I still think that removing groups and having per-cluster roles is not a
good idea. The better way would be to keep user/group and add per-catalog
roles. There is an opportunity which is being missed, and that won't show
up later. Well, I can see that I'm pretty alone to think that;-)
Thanks for your answer, have a nice day,
--
Fabien.
From | Date | Subject | |
---|---|---|---|
Next Message | Ing. Jhon Carrillo - Caracas, Venezuela | 2005-06-30 14:17:52 | 3des functions? |
Previous Message | Rod Taylor | 2005-06-30 14:11:56 | Re: Open items |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2005-06-30 14:43:29 | Re: [PATCHES] Users/Groups -> Roles |
Previous Message | Rod Taylor | 2005-06-30 14:11:56 | Re: Open items |