From: | Daniel Farina <drfarina(at)acm(dot)org> |
---|---|
To: | Josh Berkus <josh(at)agliodbs(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: One Role, Two Passwords |
Date: | 2011-01-21 01:55:42 |
Message-ID: | AANLkTim-+Ym9p31zUTDzF-vZZRLQAkwDw2ZLjj=o8wZ1@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jan 20, 2011 at 5:32 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>
>> * Eventual Retirement of old credentials without having to issue ALTER
>> statements (or really statements of any kind...) against application
>> schema objects.
>
> OK, that's a different goal. You want to be able to expire passwords
> with an overlap period. That's quite different from wanting an
> indefinfite number of passwords per role.
Correct; although I don't see a reason to strictly abide by two.
Still, it would get most jobs done.
> Mind you, the main way to do this right now ... and where you're going
> to get pushback ... is using LDAP, ActiveDirectory or similar. At a
> certain point we have to draw the line and say "PostgreSQL is not an
> authtenication server". I don't know exactly where that line is, but
> recognize that you're arguing about where to draw it.
Quite correct, as I conceded to Andrew initially. PAM may also be an
option to work around. The problem is that running a reliable,
centralized LDAP service is not justifiable as compared to role
mangling on a per-node level, and the role mangling seems has some
shortcomings that are negotiable with gritted teeth.
A goldilocks case so far of "too hot" and "too cold" I think is
exhibited here. I do not think the problem unreasonable and it will
become increasingly common on larger and more diverse Postgres
deployments, especially on hosted (do I need to say cloud?)
infrastructure which cannot make as many consistency guarantees about
processes starting all over the place.
For that reason I have brought it to -hackers.
--
fdr
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2011-01-21 01:59:31 | Re: One Role, Two Passwords |
Previous Message | Kevin Grittner | 2011-01-21 01:54:52 | Re: SSI and Hot Standby |