Re: [PATCHES] Users/Groups -> Roles - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: [PATCHES] Users/Groups -> Roles
Date
Msg-id 200507011649.j61GnI708978@candle.pha.pa.us
Whole thread Raw
In response to Re: [PATCHES] Users/Groups -> Roles  (Fabien COELHO <coelho@cri.ensmp.fr>)
Responses Re: [PATCHES] Users/Groups -> Roles
Re: [PATCHES] Users/Groups -> Roles
List pgsql-hackers
Stupid question, but how do roles relate to our existing "groups"?

---------------------------------------------------------------------------

Fabien COELHO wrote:
> 
> >> The privilege management is about a catalog, so it better to have it in 
> >> the catalog.
> >
> > Permissions are at a number of levels already: cluster, database,
> > schema, table.  Permissions at different levels hasn't got anything to
> > do w/ per-catalog roles.
> 
> Sorry for not being very clear. I see two "main" levels:
> 
> (1) the connection which is managed in pg_hba.conf. It is a sysadmin 
> concern, where you decide who will be able to get into your system. This 
> issue is *not* addressed by the SQL specs.
> 
> (2) once you're connected to a catalog, the ability to adjust/organize 
> privileges for accessing data within this catalog. This is a dbadmin 
> concern, where you decide for a given user which can access the database, 
> what data should be readable. This issue is addressed by the SQL specs.
> 
> If you think unix, root decides the first, and each user decides the 
> second for the files it owns.
> 
> >>  - for teaching purposes [...]
> >
> > Right, this can be done now.
> 
> There is the namespace collision issue, and although I might grant a 
> student the privilege to create simple roles, I would not allow them to 
> create new users for a basic practice;-)
> 
> >>  - for administration purposes, different databases have different
> >>    requirements, and maybe different kind of role "readonly",
> >>    "modifiable", "fulladmin" which could be attributed independently in
> >>    each database.
> >
> > I don't see how this has got anything to do w/ per-catalog roles either...
> 
> Because of namespace collision. That what I mean by "independently" above.
> 
> >> So as to illustrate what I call an interference [...]
> >
> > Ah-hah, now here's something we can talk about: namespace collision.
> 
> That is just what I meant in the last 10 mails when I mention per-catalog 
> roles as better than per-cluster roles. I just did not put in the right
> keywords to make myself clear:-( Sigh.
> 
> > That's an issue which per-catalog roles would help with.
> 
> Indeed.
> 
> > I'm not so sure that'd make administration *easier* though, I'd think 
> > it'd make it harder, honestly, at least in the case where you've got 
> > multiple databases that you want to give a certain person access to.
> 
> Sure, "grouping" at the cluster level is also useful.
> 
> > [...]
> > As long as we can identify the database trying to be connected to at the 
> > same time or before we get the username I don't think this would be too 
> > hard to support.
> 
> Yet, but this is not what I'm looking for. I want the grouping 
> per-catalog, but the user (or connectable-role now) is fine enough for me 
> at the cluster level.
> 
> > Perhaps for 8.2 this could be done, though I'm still not convinced it's 
> > a definite win.
> 
> For the "user per-catalog" part, I agree with you.
> 
> >> If you're right that having both "per-catalog" and "per-cluster" role with
> >> some flag would be accepted into postgresql, then that will be fine with
> >> me. I'll just argue for the per-catalog roles to be the default.
> >
> > It'd really be a create-role option, 'create role abc GLOBAL'
> 
> There is also a problem of namespace collision if you have both global and 
> local roles. When I create a global role, pg cannot check that this name 
> is not used in ANY of the databases. If you can have two "admin" roles, 
> one global and one local... I doubt Tom will let pass such an improvement.
> Also, I don't feel the upward compatibility constraint well with 
> per-catalog roles once per-cluster roles are in place.
> 
> > or some such.  The resolution would then be check the per-catalog 
> > pg_authid first and if nothing is found there go to the system-wide 
> > pg_authid. That's kind of ugly, of course, and could slow things down 
> > for people who prefer to have global roles instead of per-catalog roles.
> 
> If the per-catalog role is empty, I guess an obvious optimisation could be 
> implemented;-)
> 
> Good night,
> 
> -- 
> Fabien.
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
>        subscribe-nomail command to majordomo@postgresql.org so that your
>        message can get through to the mailing list cleanly
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: Backend working directories and absolute file paths
Next
From: "Barry Lind"
Date:
Subject: Re: 2PC transaction id