From: | David Fetter <david(at)fetter(dot)org> |
---|---|
To: | Chris Browne <cbbrowne(at)acm(dot)org> |
Cc: | pgsql-advocacy(at)postgresql(dot)org |
Subject: | Re: drupal.org MySQL database issues |
Date: | 2007-05-21 14:57:57 |
Message-ID: | 20070521145757.GA11913@fetter.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy |
On Sun, May 20, 2007 at 10:07:14PM -0400, Chris Browne wrote:
> jd(at)commandprompt(dot)com ("Joshua D. Drake") writes:
> > Tino Wildenhain wrote:
> >
> >> This way you can use pg_hba.conf, dedicated system tables or
> >> maybe LDAP one day. (or just another postgres database) Does it
> >> sound too easy? I hope so :-)
> >
> > Actually, that sounds bad. PostgreSQL should be the source of its
> > own auth.
>
> If there's a clear *OTHER* authority in the matter (e.g. - an LDAP
> instance that manages numerous other things), then that's manifestly
> not the case.
There is a math problem with this, namely that LDAP auth systems
assume a tree, where PostgreSQL's ROLEs are actually a directed
acyclic graph.
> Making a selection of mechanisms configurable seems entirely
> reasonable to me.
>
> In a web hosting environment, it would seem quite reasonable for
> authentication to be controlled in some central way that's *not*
> necessarily PG-based.
It's far from clear to me that creating a high-value target with
catastrophic cascading failure modes--a single sign-on system is an
example of this--is a design goal we should "help" people implement.
Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter
Remember to vote!
Consider donating to PostgreSQL: http://www.postgresql.org/about/donate
From | Date | Subject | |
---|---|---|---|
Next Message | Joshua Kramer | 2007-05-21 17:26:20 | Re: drupal.org MySQL database issues |
Previous Message | Chris Browne | 2007-05-21 02:07:14 | Re: drupal.org MySQL database issues |