On Thu, Jan 20, 2011 at 4:35 PM, Josh Berkus <j...@agliodbs.com> wrote: > >> How does this work with newly created objects? Is there a way to have >> them default objects to a different owner, the parent of the two >> roles? > > No, but you could easily assign default permissions. > >> In the case of password rotation, the goal would be to >> drop the old password after all clients have had reasonable chance to >> get an update. One could work around by generating new >> username+password pairs constantly, but there are conveniences to >> having a stable public-identifier for a role in addition to a private >> secret used to authenticate it > > I guess I don't really understand what the real-world use case for this is.
Here's one: running a cluster with dynamic resource provisioning and diverse applications, whereby one has the following constraints: * Ensure all existing open database sessions operate as before without interruption * Not be able to ensure after any one point that all *new* connection attempts will be with the new set of credentials * Ensure that all database objects created using new or old credentials are indistinguishable * Eventual Retirement of old credentials without having to issue ALTER statements (or really statements of any kind...) against application schema objects. I don't see precisely how I can do this. -- fdr -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
