| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Abhijit Menon-Sen <ams(at)2ndQuadrant(dot)com> |
| Cc: | Simon Riggs <simon(at)2ndQuadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndQuadrant(dot)com> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2014-11-03 20:53:14 |
| Message-ID: | 26537.1415047994@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Abhijit Menon-Sen <ams(at)2ndQuadrant(dot)com> writes:
> Earlier, I was using a combination of check and assign hooks to convert
> names to OIDs, but (as Andres pointed out) that would have problems with
> cache invalidations. I was even playing with caching membership lookups,
> but I ripped out all that code.
> In the attached patch, role_is_audited does all the hard work to split
> up the list of roles, look up the corresponding OIDs, and check if the
> user is a member of any of those roles. It works fine, but it doesn't
> seem desirable to repeat all that work for every statement.
> So does anyone have suggestions about how to make this faster?
Have you read the code in acl.c that caches lookup results for
role-is-member-of checks? Sounds pretty closely related.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2014-11-03 20:59:00 | Re: how to handle missing "prove" |
| Previous Message | Abhijit Menon-Sen | 2014-11-03 20:40:55 | Re: pgaudit - an auditing extension for PostgreSQL |