From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Greg Stark <stark(at)mit(dot)edu>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Proposal: Save user's original authenticated identity for logging |
Date: | 2021-02-01 17:32:09 |
Message-ID: | 3344750.1612200729@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> This doesn't sound particularly workable: how would you manage
>> inside-the-database permissions? Kerberos isn't going to know
>> what "view foo" is, let alone know whether you should be allowed
>> to read or write it. So ISTM there has to be a role to hold
>> those permissions. Certainly, you could allow multiple external
>> identities to share a role ... but that works today.
> Agreed- we would need something in the database to tie it to and I don't
> see it making much sense to try to invent something else for that when
> that's what roles are. What's been discussed before and would certainly
> be nice, however, would be a way to have roles automatically created.
> There's pg_ldap_sync for that today but it'd be nice to have something
> built-in and which happens at connection/authentication time, or maybe a
> background worker that connects to an ldap server and listens for
> changes and creates appropriate roles when they're created. Considering
> we've got the LDAP code already, that'd be a really nice capability.
That's still got the same issue though: where does the role get any
permissions from?
I suppose you could say "allow auto-creation of new roles and make them
members of group X", where X holds the permissions that "everybody"
should have. But I'm not sure how much that buys compared to just
letting everyone log in as X.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | John Naylor | 2021-02-01 17:32:23 | [POC] verifying UTF-8 using SIMD instructions |
Previous Message | Ibrar Ahmed | 2021-02-01 17:17:21 | Next Commitfest Manager. |