Re: [HACKERS] Re: PostgreSQL reference manual (groups) - Mailing list pgsql-hackers

From Zeugswetter Andreas
Subject Re: [HACKERS] Re: PostgreSQL reference manual (groups)
Date
Msg-id 01BD57D1.9C452340@pc9358.sd.spardat.at
Whole thread Raw
List pgsql-hackers
David Gould wrote:
>Bruce Momjian writes:
>> > Stephane Lajeunesse writes:
>> > > > A create group <groupname> is still missing in the grammar,
>> > >
>> > > I'm working on this.. Should have something working around the end of
>> > > this week (for ALTER USER and CREATE USER).
>> >
>> > Please let me use this to tell you all that I would like to get notice of
>> > each change to gram.y. I am currently modelling ecpg's parser after gram.y
>> > to get good syntax checking. So I have to make these changes, too.
>>
>> Good idea on telling you of each change, but I also recommend that every
>> time you update the ecpg grammer, you save a copy the gram.y that you
>> used to do it, so later when you need to get it back in sync, you can do
>> a diff on the old and new one to see each change so you don't miss any.
>
>Consider also not updateing the grammar. The strength of PostgreSQL is that
>functions can be added to work inside the server. These functions can often
>do whatever is being proposed as new syntax.
>
>So, instead of cluttering up the grammar with non-standard SQLish stuff
>to handle things like groups, just create an administrative function to
>do this job.
>
>* return create_group('groupname');
>* return add_user_to_group('groupname', 'username');
>* return drop_group('groupname');
>
>These can be written in C, in SQL, or what ever far more quickly and with
>much less risk of destabilizing the system than the parser can be modified.
>It also avoids making incompatibility with ecpg.
>
>And, in keeping with the recent anti-bloat thread, these can be loadable
>extensions, not part of the core. So if you don't use groups, you don't pay
>for them.

I am sorry, but I have to disagree here. The group functionality is part of SQL92
it is only called "role". In my opinion it is the only serious way to use the
SQL permission stuff. I never grant rights directly to users, I always try to
create task oriented roles, and then grant the users roles. Then if we get a new
secretary I only have to grant secretary to the new user. Everything else would be a nightmare.
There is only a misconcept in Informix, that makes roles rather useless,
you have to say 'set role secretary;' in every session to actually get the rights, there is no
default roles like in Oracle.

Andreas



pgsql-hackers by date:

Previous
From: "Thomas G. Lockhart"
Date:
Subject: Re: [HACKERS] Data type removal
Next
From: "Vadim B. Mikheev"
Date:
Subject: Re: [HACKERS] Feature: output index name in explain ...