On Wed, Aug 5, 2009 at 2:57 PM, Josh Berkus<j...@agliodbs.com> wrote: > Right now we have a situation where most web developers aren't using > ROLEs *at all* because they are too complex for them to bother with. I > literally couldn't count the number of production applications I've run > across which connect to Postgres as the superuser. We need a
I have one database that is set up with a reporting user (read only on everything). It requires constant maintenance. Every time an object is added or deleted (or dropped and recreated, like a view, which I do ALL THE TIME to work around the inability to add/remove columns) the permissions get shot to hell. I finally crontabbed a script that fixes it every 20 minutes. I had another database where I tried to do some real permission separation and it was just a huge pain in the ass. Grant on all isn't gonna fix these problems completely, but it's a start. The DefaultACL stuff is another important step in the right direction. Documenting how to use PL/pgsql to do this stuff is an EXCELLENT idea, but it's not a complete substitute for providing some usable SQL-level facilities. ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
