Re: One Role, Two Passwords

On Thu, Jan 20, 2011 at 4:35 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>
>> How does this work with newly created objects? Is there a way to have
>> them default objects to a different owner, the parent of the two
>> roles?
>
> No, but you could easily assign default permissions.
>
>> In the case of password rotation, the goal would be to
>> drop the old password after all clients have had reasonable chance to
>> get an update.  One could work around by generating new
>> username+password pairs constantly, but there are conveniences to
>> having a stable public-identifier for a role in addition to a private
>> secret used to authenticate it
>
> I guess I don't really understand what the real-world use case for this is.

Here's one: running a cluster with dynamic resource provisioning and
diverse applications, whereby one has the following constraints:

* Ensure all existing open database sessions operate as before without
interruption

* Not be able to ensure after any one point that all *new* connection
attempts will be with the new set of credentials

* Ensure that all database objects created using new or old
credentials are indistinguishable

* Eventual Retirement of old credentials without having to issue ALTER
statements (or really statements of any kind...) against application
schema objects.

I don't see precisely how I can do this.

--
fdr