From: | Hans-Jürgen Schönig <hs(at)cybertec(dot)at> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, peter_e(at)gmx(dot)net, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Groups and roles |
Date: | 2003-06-10 07:59:14 |
Message-ID: | 3EE58FD2.3030707@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>
>>... Therefore I ask whether everyone agrees
>>that groups and roles are basically equivalent concepts (and perhaps that
>>we might in the future strive to make groups more compatible with the
>>roles as defined in the SQL standard). Or does anyone see that roles
>>might be implemented separately from groups sometime?
>
>
> Just reading section 4.31.3 of the SQL99 draft, it seems that roles are
> pretty much interchangeable with groups, except that a role can be a
> member of another role while we don't presently allow groups to be
> members of other groups.
>
> So it seems that your question breaks down to:
>
> 1. Do we want to someday allow groups to have groups as members? (Seems
> reasonable to me.)
Makes sense ...
> 2. Are there any other differences between groups and roles? (I'm not
> sure about this one.)
To me some differences would make sense sense if we had additional
priviledges. In Oracle a user needs a punch of rights to connect, to
execute SQL, and so forth. If we had these features it would make sense
to treat roles and groups seperately because:
Imagine having groups having rights on dozens of tables. If these groups
were assigned to a role it would be an easy task to block numerous
groups from executing SQL at once. Currently a user has all rights of
all groups he belongs to so it is damn hard to say that 1000 users
should not be allowed to do anything for a period of time (because of
maintenance or so). If all those users (but the superuser) had a certain
role, the role could be modified instead of those 1000 users/groups (eg.
REVOKE login, execute_sql FROM some_role).
Currently roles don't make too much sense to me because we don't have
the permissions for making roles useful (personally I don't think that
it makes to have this stuff anyway).
I guess adding a simple field to the system tables would be enough.
If we had a field "active" (bool) in pg_shadow and pg_group we could
solve some basic problems such as banning 10000 groups at once more easily.
This is the only problem we have from time to time. If there is too much
user rights stuff around administering will be more painful (see Oracle).
Regards,
Hans
--
Cybertec Geschwinde u Schoenig
Ludo-Hartmannplatz 1/14, A-1160 Vienna, Austria
Tel: +43/2952/30706; +43/664/233 90 75
www.cybertec.at, www.postgresql.at, kernel.cybertec.at
From | Date | Subject | |
---|---|---|---|
Next Message | Nigel J. Andrews | 2003-06-10 10:02:31 | Re: host and hostssl equivalence in pg_hba.conf |
Previous Message | Ron Johnson | 2003-06-10 07:08:08 | Re: Feature Suggestion/Index tuning wizard that |