| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Jaime Casanova <jaime(at)2ndquadrant(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: db_user_namespace a "temporary measure" |
| Date: | 2014-03-12 14:48:13 |
| Message-ID: | 12100.1394635693@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Jaime Casanova <jaime(at)2ndquadrant(dot)com> writes:
> On Tue, Mar 11, 2014 at 10:06 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> But not sure how to define a unique
>> index that allows (joe, db1) to coexist with (joe, db2) but not with
>> (joe, 0).
> and why you want that restriction?
So that if I say "GRANT SELECT ON mytable TO joe", it's unambiguous which
user I'm granting to. There should be at most one "joe" that can access
any given database.
If we don't have such a restriction, we'll need syntax kluges in GRANT,
ALTER OWNER, and probably other commands to disambiguate whether a local
or global user is meant. Right now with the db_user_namespace mechanism,
you have to say GRANT ... TO "joe(at)db1" if you were granting to a local
user in db1. That's unambiguous all right, but it has little else to
recommend it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-03-12 14:52:14 | Re: db_user_namespace a "temporary measure" |
| Previous Message | Tom Lane | 2014-03-12 14:42:03 | Re: pgstat wait timeout (RE: contrib/cache_scan) |