| From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Kenaniah Cerny <kenaniah(at)gmail(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Proposal: allow database-specific role memberships |
| Date: | 2021-10-11 15:15:10 |
| Message-ID: | CAMsGm5dRqgW0-hugTr0GShzxg7Q4HdQDhEzu02CJAuY7RbZVug@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 11 Oct 2021 at 11:01, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Having an ability to GRANT predefined roles within a particular database
> is certainly something that I'd considered when adding the pg_read/write
> data roles. I'm not super thrilled with the idea of adding a column to
> pg_auth_members just for predefined roles though and I'm not sure that
> such role membership makes sense for non-predefined roles. Would
> welcome input from others as to if that's something that would make
> sense or if folks have asked about that before. We'd need to carefully
> think through what this means in terms of making sure we don't end up
> with any loops too.
>
I think the ability to grant a role within a particular database would be
useful. For example, imagine I have a dev/testing instance with multiple
databases, each a copy of production modified in some way for different
testing purposes. For example, one might be scrambled data (to make the
testing data non- or less- confidential); another might be limited to data
from the last year (to reduce the size of everything); another might be
limited to 1% of all the customers (to reduce the size in a different way);
and of course these could be combined.
It’s easy to imagine that I might want to grant a user the ability to
connect to all of these databases, but to have different privileges. For
example, maybe they have read_confidential_data in the scrambled database
but not in the reduced-but-not-scrambled databases. But maybe they have a
lesser level of access to these databases, so just using the connect
privilege won't do the job.
I’ve already found it a bit weird that I can set per-role, per-database
settings (e.g search_path), and of course privileges on individual objects,
but not which roles the role is a member of.
I haven’t thought about implementation at all however. The thought occurs
to me that the union of all the role memberships in all the database should
form a directed acyclic graph. In other words, you could not have X a
member of Y (possibly indirectly) in one database while Y is a member of X
in another database; the role memberships in each database would then be a
subset of the complete graph of memberships.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dilip Kumar | 2021-10-11 15:16:32 | Reset snapshot export state on the transaction abort |
| Previous Message | Tom Lane | 2021-10-11 15:03:35 | Re: pgsql: Adjust configure to insist on Perl version >= 5.8.3. |