Limiting per user and per db accesse (was TODO list) - Mailing list pgsql-hackers

From Jonathan Gardner
Subject Limiting per user and per db accesse (was TODO list)
Date
Msg-id 200312171648.44091.jgardner@jonathangardner.net
Whole thread Raw
In response to Re: TODO list  (David Felstead <David.Felstead@colesmyer.com.au>)
Responses Re: Limiting per user and per db accesse (was TODO list)
List pgsql-hackers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 17 December 2003 2:59 pm, David Felstead wrote:
> David Felstead wrote:
> Bah, what a way to make an entrance - I re-read Andrew's post and
> realised he was talking about pg_hba.conf.  My apologies. :(
>
> Regardless, is this something that could be handled at a privilege level?
>

This actually sounds a lot better than the pg_hba.conf idea. We create
databases and users with SQL commands, we should probably expand the syntax
to limit their abilities wrt the cluster.

So here's another shot. What if we had a variable "max_connections" for each
user, group, and database?

- -- User jgardner can only have 12 concurrent connections with this cluster.
ALTER USER jgardner SET max_connections = 12;

- -- Group www can only have 12 concurrent connections with the cluster.
ALTER GROUP www SET max_connections = 12;

- -- Database db can only have 12 concurrent connections from anyone.
ALTER DATABASE db SET max_connections = 12;


Not good enough for you? Perhaps we can do something like we do for
permissions and use an aclitem[]

ALTER USER jgardner
SET max_connections = '{=12,db1=5,db2=1}'::maxconnitem[];

This would mean that jgardner can only have up to 12 connections with this
cluster; only 5 of those may be with database db1, and only 1 can be with
db2.

We can do something very similar for groups.

And databases? Maybe we can provide a type for that as well, that
distinguishes between users and groups?

- --
Jonathan Gardner
jgardner@jonathangardner.net
Live Free, Use Linux!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/4PlpWgwF3QvpWNwRArFHAJ9UQIai+oevgeu8V5JAk+I3gWCUgwCfWUQe
3e8m5CzRZIgzZYUqjnC5ZMg=
=kP5S
-----END PGP SIGNATURE-----


pgsql-hackers by date:

Previous
From: "Andrew Dunstan"
Date:
Subject: Re: TODO list
Next
From: Tom Lane
Date:
Subject: Re: TODO list