Re: [PATCHES] Users/Groups -> Roles - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: [PATCHES] Users/Groups -> Roles
Date
Msg-id 20050630130520.GC24207@ns.snowman.net
Whole thread Raw
In response to Re: [PATCHES] Users/Groups -> Roles  (Stephen Frost <sfrost@snowman.net>)
Responses Re: [PATCHES] Users/Groups -> Roles
List pgsql-hackers
Fabien,

* Fabien COELHO (fabien@coelho.net) wrote:
> This is a very useful feature, and a key idea of the specs IMVVHO. ISTM
> that the way "fuse" user and role misses that important point, as I have
> not seen a "set role" in the grammar file.

'set role' is coming, sorry it wasn't in my initial patch.  We are
looking to support pretty much all of the SQL features 'Basic roles' and
'Extended roles'.  I think 'set role' and maybe some cleanup of
information_schema is all we need to claim 'Basic roles' support.  For
'Extended roles' I think we need revoke role cascade support.
Interestingly, the SQL2003 draft I'm looking at doesn't list 'drop role
<role name> cascade' as being valid, yet other places in the spec
specify 'drop role <role name> cascade' usage, so I think we should
support that.

> Although in the spec role rights are transitive in the role realm, it
> should *stop* at the user. If you drop the user concept, you just have a
> group with automatically provided rights.

I'm not quite sure what you mean here.  Role right resolution starts
from the user and then works backwards up the tree, with multi-level
resolution.  It wouldn't go past the logged in user since that's really
where it starts.

> The fact that the spec does not specify the USER stuff and specifies the
> ROLE stuff does not mean that having only roles is the good way to go.

I'm pretty sure we'll be able to match the SQL spec and support at least
everything we did before with users/groups...

> So for me we should have per-cluser users as they where up to now,
> per-catalog roles with the properties I described, and possibly
> per-cluster group just for the sake of compatibility/simplicity of the
> access control and managing group of users as a whole. ROLE should not
> replace USER/GROUP. It should be added next to it.

I don't see much point in having USER or GROUP when we have roles.  Is
there something specific that you feel can't be done with roles that
could be done w/ USER/GROUP?  Per-catalog roles is an interesting idea,
but I'd tend to think that if you want per-catalog roles, you'd want
per-catalog users too.  I don't have any problem with that, but I don't
see how not being per-catalog indicates we should have USER/GROUP
instead of roles.

> Maybe I'm wrong at my reading of the spec and its intent, and at my quick
> check through the status of the cvs head, but that's my current
> understanding, and I think it should be checked seriously.

I just went through the spec yesterday, check -hackers for my email
about what CVS head supports vs. what's in the SQL spec.  I don't see
any particular reason why we wouldn't be able to fully support 'Basic
roles' and 'Extended roles' in 8.1, I think we're quite close now...
Thanks,
    Stephen

pgsql-hackers by date:

Previous
From: Bruno Wolff III
Date:
Subject: Re: [PATCHES] Users/Groups -> Roles
Next
From: "Samuel A Horwitz"
Date:
Subject: unsupported frontend protocol