| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Per-Database Roles |
| Date: | 2012-05-22 22:21:52 |
| Message-ID: | 4FBC1180.60608@agliodbs.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> The issue with not allowing global spaces to overlap local ones is that
> we'd have to check every local list when creating a global account;
> that doesn't seem very easy to do. On the flip side, allowing
> duplicates between global and local would remove the need to check local
> lists when creating global accounts, but would add complexity and could
> lead to odd semantics when there is a duplicate.
On the other hand, keep in mind that creating a global account can be
slow. For anyone who has a huge multi-tenant setup with 200 database
each with their own local users, creating a new global account will be
an event which occurs once or twice a year. Just so that we don't pay
the same check cost for people who don't use local accounts.
> If you could help me work out the semantics and the high-level issues,
> I'd love to spend time on this for 9.3...
Syntax seems simple: CREATE LOCAL ROLE ...
For that matter, let's keep other things simple:
1. local roles can inherit only from other local roles
2. global roles can inherit only from other global roles
3. only a global role can be a database owner
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2012-05-22 22:26:08 | Re: Changing the concept of a DATABASE |
| Previous Message | Alexander Korotkov | 2012-05-22 21:38:06 | Re: Draft release notes complete |