From: | Daniel Farina <drfarina(at)acm(dot)org> |
---|---|
To: | Josh Berkus <josh(at)agliodbs(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: One Role, Two Passwords |
Date: | 2011-01-21 00:47:48 |
Message-ID: | AANLkTimQNJf10H7TNADxZ8628-xnzkjPGzCXUq7iyLoT@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jan 20, 2011 at 4:35 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>
>> How does this work with newly created objects? Is there a way to have
>> them default objects to a different owner, the parent of the two
>> roles?
>
> No, but you could easily assign default permissions.
>
>> In the case of password rotation, the goal would be to
>> drop the old password after all clients have had reasonable chance to
>> get an update. One could work around by generating new
>> username+password pairs constantly, but there are conveniences to
>> having a stable public-identifier for a role in addition to a private
>> secret used to authenticate it
>
> I guess I don't really understand what the real-world use case for this is.
Here's one: running a cluster with dynamic resource provisioning and
diverse applications, whereby one has the following constraints:
* Ensure all existing open database sessions operate as before without
interruption
* Not be able to ensure after any one point that all *new* connection
attempts will be with the new set of credentials
* Ensure that all database objects created using new or old
credentials are indistinguishable
* Eventual Retirement of old credentials without having to issue ALTER
statements (or really statements of any kind...) against application
schema objects.
I don't see precisely how I can do this.
--
fdr
From | Date | Subject | |
---|---|---|---|
Next Message | Itagaki Takahiro | 2011-01-21 01:13:34 | Re: JSON data type status? |
Previous Message | Josh Berkus | 2011-01-21 00:35:20 | Re: One Role, Two Passwords |