Thread: RFC: roles
I had a look at roles, and was wondering about the best way to support them. Purely, it's not a problem at all: just expose pg_authid and pg_auth_members in dialogs/lists. OTOH, it might be quite confusing for 1st time users that there are only roles with some attributes, no users and groups. Should we have two modes for it: The reduced view with users and groups (where a group may be a group member too) and an enhanced view that allows all role features? Additionally, this has also some impact on the security properties, since a role that may login currently wouldn't be exposed as grantee by default. Thoughts? Regards, Andreas
Hi Andreas > -----Original Message----- > From: pgadmin-hackers-owner@postgresql.org > [mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of > Andreas Pflug > Sent: 31 July 2005 13:40 > To: pgadmin-hackers > Subject: [pgadmin-hackers] RFC: roles > > I had a look at roles, and was wondering about the best way > to support them. > > Purely, it's not a problem at all: just expose pg_authid and > pg_auth_members in dialogs/lists. > > OTOH, it might be quite confusing for 1st time users that > there are only > roles with some attributes, no users and groups. Should we have two > modes for it: The reduced view with users and groups (where a > group may > be a group member too) and an enhanced view that allows all > role features? > Additionally, this has also some impact on the security properties, > since a role that may login currently wouldn't be exposed as > grantee by > default. > > Thoughts? I think I would be inclined just to have the full view of everything. Roles effectively deprecate users and groups, so I don't think we should try to fool the user into thinking they are still there. For convenience though, perhaps we should notate which roles have login somehow - perhaps a trailing asterisk? Regards, Dave.
Dave Page wrote: > Hi Andreas > > >>-----Original Message----- >>From: pgadmin-hackers-owner@postgresql.org >>[mailto:pgadmin-hackers-owner@postgresql.org] On Behalf Of >>Andreas Pflug >>Sent: 31 July 2005 13:40 >>To: pgadmin-hackers >>Subject: [pgadmin-hackers] RFC: roles >> >>I had a look at roles, and was wondering about the best way >>to support them. >> >>Purely, it's not a problem at all: just expose pg_authid and >>pg_auth_members in dialogs/lists. >> >>OTOH, it might be quite confusing for 1st time users that >>there are only >>roles with some attributes, no users and groups. Should we have two >>modes for it: The reduced view with users and groups (where a >>group may >>be a group member too) and an enhanced view that allows all >>role features? >>Additionally, this has also some impact on the security properties, >>since a role that may login currently wouldn't be exposed as >>grantee by >>default. >> >>Thoughts? > > > I think I would be inclined just to have the full view of everything. > Roles effectively deprecate users and groups, so I don't think we should > try to fool the user into thinking they are still there. For convenience > though, perhaps we should notate which roles have login somehow - > perhaps a trailing asterisk? How ugly! The icon can signal it. Still questions open: Hierarchical or flat view? Separate grouping for login/nologin roles, roles with/without childs? Actually, I don't find it good practice to use a role as group and login at the same time. I'd be inclined to name all roles with login without childs a user, the rest role/group, grouping them accordingly. Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 01 August 2005 14:14 > To: Dave Page > Cc: pgadmin-hackers > Subject: Re: [pgadmin-hackers] RFC: roles > > > How ugly! The icon can signal it. Yes, that is preferable, however in most places (ie. combo boxes) the icons got lost when pgAdmin 2 was rewritten as pgAdmin 3. > Still questions open: > Hierarchical or flat view? Separate grouping for login/nologin roles, > roles with/without childs? I think a flat view, as it could get very messy with 1 role being a member of more than one other. > Actually, I don't find it good practice to use a role as > group and login > at the same time. I'd be inclined to name all roles with > login without > childs a user, the rest role/group, grouping them accordingly. No, I agree it's bad practice, but it might happen (I assume - haven't tried it though) as far as I can see from the docs. In fact, they say: "A role having LOGIN privilege can be thought of as a user", so I think we should not count hild roles, and just rely on LOGIN. Of course, this seems like a good candidate for a guru hint. /D
Dave Page wrote:
>
>
>
>>-----Original Message-----
>>From: Andreas Pflug [mailto:pgadmin@pse-consulting.de]
>>Sent: 01 August 2005 14:14
>>To: Dave Page
>>Cc: pgadmin-hackers
>>Subject: Re: [pgadmin-hackers] RFC: roles
>>
>>
>>How ugly! The icon can signal it.
>
>
> Yes, that is preferable, however in most places (ie. combo boxes) the
> icons got lost when pgAdmin 2 was rewritten as pgAdmin 3.
>
>
>>Still questions open:
>>Hierarchical or flat view? Separate grouping for login/nologin roles,
>>roles with/without childs?
>
>
> I think a flat view, as it could get very messy with 1 role being a
> member of more than one other.
>
>
>>Actually, I don't find it good practice to use a role as
>>group and login
>>at the same time. I'd be inclined to name all roles with
>>login without
>>childs a user, the rest role/group, grouping them accordingly.
>
>
> No, I agree it's bad practice, but it might happen (I assume - haven't
> tried it though) as far as I can see from the docs. In fact, they say:
>
> "A role having LOGIN privilege can be thought of as a user", so I think
> we should not count hild roles, and just rely on LOGIN.
>
> Of course, this seems like a good candidate for a guru hint.
So we have:
- Groups/Roles and Users as object collection
- Users will contain all roles with LOGIN
- Groups/Roles the rest
- Both will use common dlgRole dialog, with different checkbox settings
for LOGIN
- NOLOGIN roles (in Groups/Roles) have the group icon
- LOGIN roles without kids (pure users) have user icon
- LOGIN roles with kids ('role-user') have group icon
- Guru hint "bad practice" if a LOGIN role is used as role parent
Agreed?
Regards,
Andreas
> -----Original Message-----
> From: Andreas Pflug [mailto:pgadmin@pse-consulting.de]
> Sent: 01 August 2005 14:56
> To: Dave Page
> Cc: pgadmin-hackers
> Subject: Re: [pgadmin-hackers] RFC: roles
>
>
> So we have:
> - Groups/Roles and Users as object collection
> - Users will contain all roles with LOGIN
> - Groups/Roles the rest
Hmm, I'd only been thinking about the security tabs so far. I'd be
inclined to have just
Roles
-> Role 1
-> Role 2
in the treeview, and not try to make any distinction between 'users' and
'groups' at that level. The server doesn't, so we probably shouldn't
either. I suppose we could use a modified icon for those with LOGIN, for
convenience though, but I definately think there should be only Roles at
the top. (BTW, the icons for Roles/Role are already done, so just use a
placeholder for now).
Grouping as well as Icons could be used in the combo boxes, but even
then, I'm not sure grouping is required.
BTW, do you plan to keep the 'Display users as well as groups for
security' setting? I think we should, but obviously translated to mean
include LOGIN roles with other ROLES.
> - Both will use common dlgRole dialog, with different checkbox
settings for LOGIN
Yes.
> - NOLOGIN roles (in Groups/Roles) have the group icon
> - LOGIN roles without kids (pure users) have user icon
> - LOGIN roles with kids ('role-user') have group icon
See above :-)
> - Guru hint "bad practice" if a LOGIN role is used as role parent
Sounds good.
Regards, Dave
Dave Page wrote: > > > >>-----Original Message----- >>From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] >>Sent: 01 August 2005 14:56 >>To: Dave Page >>Cc: pgadmin-hackers >>Subject: Re: [pgadmin-hackers] RFC: roles >> >> >>So we have: >>- Groups/Roles and Users as object collection >>- Users will contain all roles with LOGIN >>- Groups/Roles the rest > > > Hmm, I'd only been thinking about the security tabs so far. I'd be > inclined to have just > > Roles > -> Role 1 > -> Role 2 > > in the treeview, and not try to make any distinction between 'users' and > 'groups' at that level. The server doesn't, so we probably shouldn't > either. I suppose we could use a modified icon for those with LOGIN, for > convenience though, but I definately think there should be only Roles at > the top. I'm thinking different here, because you're using roles and users in different situations. When editing roles, you're planning the access scheme layout without necessarily having certain persons in mind. After the app is installed, you won't touch roles any more. In contrast, adding users and assigning them existing roles is a day-by-day business. That's why I'd like them separated. (BTW, the icons for Roles/Role are already done, so just use a > placeholder for now). I don't see them in SVN... :-) Regards, Andreas
[CC'd to Niko as he probably want's to know about this as well]
> -----Original Message-----
> From: Andreas Pflug [mailto:pgadmin@pse-consulting.de]
> Sent: 01 August 2005 15:15
> To: Dave Page
> Cc: pgadmin-hackers
> Subject: Re: [pgadmin-hackers] RFC: roles
>
> I'm thinking different here, because you're using roles and users in
> different situations.
> When editing roles, you're planning the access scheme layout without
> necessarily having certain persons in mind. After the app is
> installed,
> you won't touch roles any more.
> In contrast, adding users and assigning them existing roles is a
> day-by-day business. That's why I'd like them separated.
Hmmm... What about:
Roles
- Login
- dave
- andreas
- niko
- Organisational (perhaps something shorter?)
- support
- finance
- admin
Speaking of which, how does this cope with my user www which is in group
www?
> (BTW, the icons for Roles/Role are already done, so just use a
> > placeholder for now).
>
> I don't see them in SVN... :-)
No, you don't :-)
/D
Dave Page wrote: > [CC'd to Niko as he probably want's to know about this as well] > > > >>-----Original Message----- >>From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] >>Sent: 01 August 2005 15:15 >>To: Dave Page >>Cc: pgadmin-hackers >>Subject: Re: [pgadmin-hackers] RFC: roles >> >>I'm thinking different here, because you're using roles and users in >>different situations. >>When editing roles, you're planning the access scheme layout without >>necessarily having certain persons in mind. After the app is >>installed, >>you won't touch roles any more. >>In contrast, adding users and assigning them existing roles is a >>day-by-day business. That's why I'd like them separated. >> >> > >Hmmm... What about: > >Roles > - Login > - dave > - andreas > - niko > - Organisational (perhaps something shorter?) > - support > - finance > - admin > > This sounds like an undesirable stacking of trivial collections. Login Roles - dave - andreas - niko Organisational Roles - upport - nance - in would solve that. Or maybe shorter: Users and Roles :-) Regards, Andreas
> -----Original Message----- > From: Andreas Pflug [mailto:pgadmin@pse-consulting.de] > Sent: 01 August 2005 17:52 > To: Dave Page > Cc: pgadmin-hackers; ennixo > Subject: Re: [pgadmin-hackers] RFC: roles > > > This sounds like an undesirable stacking of trivial collections. > Login Roles > - dave > - andreas > - niko > Organisational Roles > - upport > - nance > - in Yeah, you're probably right. Login Roles sounds OK, but I'm not overly happy with Organisational Roles. Iirc, SQL Server calls them Logins and Roles - do you know about other DBMSs? Regards, Dave.