Postgres Pro
Downloads
Home   >   mailing lists

Re: WITH SYSID feature dropped - Mailing list pgsql-admin

From Jim C. Nasby
Subject Re: WITH SYSID feature dropped
Date
Msg-id 20051221221207.GI72143@pervasive.com
Whole thread Raw
In response to Re: WITH SYSID feature dropped  ("Donald Fraser" <postgres@kiwi-fraser.net>)
Responses Re: WITH SYSID feature dropped
List pgsql-admin
Tree view 
On Wed, Dec 21, 2005 at 04:15:35PM -0000, Donald Fraser wrote:
> Our "user" table holds security privilege and access rights
> information which can change at the drop of a hat. Our approach to
> managing the mapping of our privileges to PostgreSQL GROUPS
> etc has been one of brute force. It is much easier to DROP a user
> and recreate them when their access rights change, as apposed to
> figuring out what GROUPS they currently belong to and what
> GROUPS they should now belong to. Therefore under the new
> scheme of things dropping and recreating a new user would cause
> a change in the OID and this is not desireable as described above.

I think it would be a useful addition to PostgreSQL to have the ability
to explicitly set a set of permissions on a role. IE, be able to
atomically define exactly what permissions/roles a role has. This would
effectively take the place of a set of GRANT and DROP statements.

I realize that you could probably get the same effect by
BEGIN
REVOKE * FROM ROLE
GRANT ... TO ROLE
GRANT ... TO ROLE
...
COMMIT;

But that's rather ugly, especially since REVOKE * doesn't actually
exist. Of course you could probably codify all that into a function, but
I suspect it would still be much uglier than supporting it directly in
the grammar.

BTW, from http://www.postgresql.org/docs/8.1/static/sql-alteruser.html

"ALTER USER is now an alias for ALTER ROLE, which see for more
information."

Someone want to commit a quick grammar fix to that? Maybe "which you
should see for more..."?

> Could have, would have, should have...
> but nobody thought of it and probably a bit late now though....

BTW, this is why it's good to keep an eye on things that are being
changed and if possible test on HEAD occasionally. Doesn't guarantee
that OID support would have been maintained, but it's always good to
know how people are using PostgreSQL, especially when it comes to the
more 'off the wall' features.
--
Jim C. Nasby, Sr. Engineering Consultant      jnasby@pervasive.com
Pervasive Software      http://pervasive.com    work: 512-231-6117
vcard: http://jim.nasby.net/pervasive.vcf       cell: 512-569-9461

pgsql-admin by date:

Previous
From: "Jim C. Nasby"
Date:
Subject: Re: Help Me !
Next
From: "Jim C. Nasby"
Date:
Subject: Re: WITH SYSID feature dropped