On Mon, Oct 19, 2009 at 11:21 AM, Peter Eisentraut <pete...@gmx.net> wrote: >> A user can do that anyway if query logging is turned on, but anyway, >> what would you suggest - accept a-zA-Z0-9 and a few other choice >> characters only, or just reject a handful (and if so, what)? > > Well, either you make the thing wide open and thus pretty insecure and > unreliable, or you put in arbitrary limits which will possibly upset > many users, or you design some fairly complex rules about what is > allowed or not in what context. > > At which point you might realize that you can pretty much do all of this > already in a much better way: Create a user account for each application > or group of applications and assign them the roles that you are > currently using as login users. The user names already show up in all > the places that people want: ps, log, activity tables. And moreover, > the admin can control exactly who is allowed to use what user name in > what context, so there is no log spamming or confusing one's identity.
Excuse me one moment whilst I pick myself up from the floor :-) Can you imagine what a maintenance nightmare that would soon become? I might need a role for running the nightly backup, one for a weekly backup, one for each of a dozen data import/export tasks. What about a system supporting multiple applications? I used to have a dozen or more running on one server, with a hundred plus users, many of whom used 2 or 3 applications, some of who would also use reporting tools such as Crystal Reports in addition to the primary application. I'd need to give those users half a dozen or more roles each (which probably won't work nicely in my SSO environment). Please bear in mind that this feature is based on similar features in other DBMSs (and in fact, a feature in the JDBC spec) that people have asked for on a number of occasions. It's not a random idea I've come up with - my aim is to create a comparable feature to that which people may be accustomed to, in a secure and PostgreSQL-applicable way. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers