From: | Selena Deckelmann <selena(at)chrisking(dot)com> |
---|---|
To: | "David E(dot) Wheeler" <david(at)kineticode(dot)com>, pdxpug(at)postgresql(dot)org |
Subject: | Re: authentication services |
Date: | 2006-10-20 00:03:51 |
Message-ID: | 33baa82832776765507b349e23dab83e@chrisking.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pdxpug |
On Oct 19, 2006, at 4:51 PM, David E. Wheeler wrote:
> On Oct 19, 2006, at 16:07, Selena Deckelmann wrote:
>
>> Damn. Looks like you still have to add the users to the database.
>>
>> http://developer.postgresql.org/pgdocs/postgres/auth-
>> methods.html#AUTH-LDAP
>
> I'm not surprised. The database needs to keep track of users itself,
> so that it can assign ownership, check permissions, etc. Most systems
> work this way (including Bricolage).
It would be interesting if the system relied more on roles, and used
authentication as a way of determining what role a user belonged to.
Then, when a person tries to login to pgsql for the first time, it
looks up what their group membership is and assigns permissions
appropriately. And if you really wanted to, it could add the user to
the database. Ideally, you'd just rely on the role, so that anyone
with the proper role/group membership could login to the database.
It's really powerful when you're in an environment that has defined
responsibilities and rapid turnover.
Few applications do this. Most people just make generic accounts that
lots of people have the password to. And that leads to all sorts of
problems.
-selena
From | Date | Subject | |
---|---|---|---|
Next Message | David E. Wheeler | 2006-10-20 03:47:43 | Re: authentication services |
Previous Message | David E. Wheeler | 2006-10-19 23:51:53 | Re: authentication services |