Re: on connect/on disconnect

On 9/11/06, Robert Edwards <bob(at)cs(dot)anu(dot)edu(dot)au> wrote:
>
> Markus Schaber wrote:
> > Hi, Robert,
> >
> > Robert Edwards wrote:
> >
> >>(this is my first post to this list...)
> >
> >
> > Welcome here. :-)
> >
> >
> >>I am wondering if Postgres, and/or SQL in general, has a facility to
> >>run a function at connection set-up time (after a successful connection
> >>attempt) and/or at session completion (or disconnect)?
> >
> >
> > Most JDBC connection pooling implementations will do that, at least for
> > connection and session setup. (JBoss is one of them.)
> >
> >
> >>I want to pre-populate a table (actually an INSERT rule on a view)
> >>with some user-specific data that is unlikely to change during the
> >>session and which is "difficult" to process (ie. affects performance
> >>to do it too often).
> >
> >
> > The problem here is that the INSERT rule might be globally visible to
> > other, concurrent users on the database.
> >
>
> Indeed it is, but the sole reason to use a rule (instead of a straight
> INSERT) is that it qualifies the INSERT against the current user.
>
> > Could you explain what exactly you want to achieve, may be we find a
> > better way to do the whole thing.
> >
> Basically, I have a heirarchical arrangement of users in "roles" (almost
> the same as the 8.1 user/group/role mechanism, but in "PUBLIC" schema
> space, and with various triggers etc. in play). The access controls
> apply conditions based on which "roles" (groups) the current user is
> a member of (and these users never have "super-user" privilege, so the
> SET SESSION AUTHORIZATION mechanism does not apply here). The heirarchy
> is not a "tree" structure - any role can belong to any number of other
> roles (have many parents), so it is a Digraph (directed graph).
>
> I have some plpgsql functions, one of which is used to determine which
> roles a user is in, but it is necessarily recursively called, which
> means it runs in non-deterministic time.
>
> (Just for completeness, I'll include that function here:
> create or replace function get_anc () returns setof member as '
> declare
> rMem member;
> begin
> for rMem in select * from member where child = $1 loop
> return next rMem;
> for rMem in select * from get_anc (rMem.parent) loop
> return next rMem;
> end loop;
> end loop;
> return;
> end;
> ' language plpgsql;

If your membership (member table) does not change very often, I would
recommend adding an insert/update trigger to that table which updates a
flattened version of these results (basically a materialized view). Then
you don't need to run this function unless the membership changes and only
once per membership change. Then you authorize the person against that
flattened table rather than look at the member table. Then you wouldn't
need to run this upon every log in.

I do something like this (though simpler) and have the application get the
permissions and cache them. It sounds like you are probably trying to put
your permission checking in the database. You might want to consider using
a session based temp table and run a different function that first checks
the temp table, if the table is empty it runs the function above and
populates the temp table, if the table is not empty it uses the temp table.
This is a form of lazy instantiation and would not require you to have
connect/disconnect triggers.

==================================================================
Aaron Bono
Aranya Software Technologies, Inc.
http://www.aranya.com
http://codeelixir.com
==================================================================