Re: pre-proposal: permissions made easier - Mailing list pgsql-hackers

From Jeff Davis
Subject Re: pre-proposal: permissions made easier
Date
Msg-id 1246226790.23359.74.camel@jdavis
Whole thread Raw
In response to Re: pre-proposal: permissions made easier  (David Fetter <david@fetter.org>)
Responses Re: pre-proposal: permissions made easier
List pgsql-hackers
On Sun, 2009-06-28 at 14:16 -0700, David Fetter wrote:
> > The users I'm targeting with my idea are: * Users who have a fairly
> > simple set of users and permissions, and who want a simple picture
> > of the permissions in their system for reassurance/verification.
> 
> I don't know of a case that started simple and stayed there without a
> lot of design up front.  In other words, those who'd benefit by such a
> thing are generally not those who'd want a shortcut.

I think that the 3 user types I outlined are a fairly reasonable
permissions scheme for a significant set of applications. I have used
that in the past, and generally speaking, I didn't need to make lots of
strange exceptions.

> >  * Users who don't currently use separate permissions, but might
> >  start if it's simpler to do simple things.
> 
> This is a matter of education, not tools.  The problem here is not
> that permissions are unavailable, but that people are failing to use
> them.

I don't think education is the answer. These users aren't necessarily
ignorant, but just don't want to hack up scripts to manage permissions
for what they perceive are simple schemes.

If the user imagines a well-defined but simple scheme, and it takes a
lot of awkward scripts to accomplish it, I think we've missed something.
A "reporting user" seems like a perfectly normal kind of user to create,
and yet it's very awkward to do.

> > The performance issue is something to consider, but I think it would
> > just be an extra catalog lookup (for each level), and the users of
> > this feature would probably be willing to pay that cost.
> 
> Where did this come up?

Tom mentioned that it might be expensive to check permissions, which I
assume was due to the extra catalog lookups required. I don't think it's
a major concern, nor would it affect normal permissions checks, unless I
missed something.

Regards,Jeff Davis



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: pre-proposal: permissions made easier
Next
From: Jeff Davis
Date:
Subject: Re: pre-proposal: permissions made easier