On Fri, May 25, 2012 at 11:12 PM, Bruce Momjian wrote:
> On Fri, May 25, 2012 at 10:34:54PM -0400, Stephen Frost wrote:
>> * Robert Haas (robertmh...@gmail.com) wrote:
>> > On Thu, May 24, 2012 at 6:21 PM, Bruce Momjian wrote:
>> > > Yes, pre-1996. I think the fact that authentication/user names
On Sun, May 27, 2012 at 2:53 PM, Peter Eisentraut wrote:
> On tis, 2012-05-22 at 10:19 -0400, Robert Haas wrote:
>> I think we should have made roles and tablespaces database
>> objects rather than shared objects,
>
> User names are global objects in the SQL standard, which is part of the
> reason
On tis, 2012-05-22 at 10:19 -0400, Robert Haas wrote:
> I think we should have made roles and tablespaces database
> objects rather than shared objects,
User names are global objects in the SQL standard, which is part of the
reason that the current setup was never seriously challenged.
--
Sent
Stephen Frost writes:
> * Robert Haas (robertmh...@gmail.com) wrote:
>> Eh? Why would the presence of usernames in pg_hba.conf mean that they
>> have to be global objects?
> I havn't had a chance (yet) to look, but perhaps the current code
> attempts to validate the role before figuring out what
On Fri, May 25, 2012 at 10:34:54PM -0400, Stephen Frost wrote:
> * Robert Haas (robertmh...@gmail.com) wrote:
> > On Thu, May 24, 2012 at 6:21 PM, Bruce Momjian wrote:
> > > Yes, pre-1996. I think the fact that authentication/user names appear
> > > in pg_hba.conf really locked the user name idea
* Robert Haas (robertmh...@gmail.com) wrote:
> On Thu, May 24, 2012 at 6:21 PM, Bruce Momjian wrote:
> > Yes, pre-1996. I think the fact that authentication/user names appear
> > in pg_hba.conf really locked the user name idea into global objects, and
> > we have never really been able to make a
On Thu, May 24, 2012 at 6:21 PM, Bruce Momjian wrote:
> On Tue, May 22, 2012 at 10:19:12AM -0400, Robert Haas wrote:
>> In retrospect, I think the idea of shared catalogs was probably a bad
>> idea. I think we should have made roles and tablespaces database
>> objects rather than shared objects,
On Tue, May 22, 2012 at 10:19:12AM -0400, Robert Haas wrote:
> In retrospect, I think the idea of shared catalogs was probably a bad
> idea. I think we should have made roles and tablespaces database
> objects rather than shared objects, and come up with some ad-hoc
> method of representing the se
On May 22, 2012, at 12:18, Tom Lane wrote:
> Another objection is that it wouldn't scale up nicely to multiple levels
> of catalog hierarchy. But maybe local/global is enough.
That would be a huge improvement and this wouldn't get in the way of
any solution to the global oid conflict issue comin
On May23, 2012, at 00:21 , Josh Berkus wrote:
>> If you could help me work out the semantics and the high-level issues,
>> I'd love to spend time on this for 9.3...
>
> Syntax seems simple: CREATE LOCAL ROLE ...
>
> For that matter, let's keep other things simple:
>
> 1. local roles can inherit
On Tue, May 22, 2012 at 4:35 PM, Stephen Frost wrote:
> * Josh Berkus (j...@agliodbs.com) wrote:
>> The local role is preferred, the same way we allow objects in the local
>> schema to overshadow objects in the global schema.
>
> I would think we'd want the exact opposite. I don't want my global
> The issue with not allowing global spaces to overlap local ones is that
> we'd have to check every local list when creating a global account;
> that doesn't seem very easy to do. On the flip side, allowing
> duplicates between global and local would remove the need to check local
> lists when c
On May22, 2012, at 22:35 , Stephen Frost wrote:
> * Josh Berkus (j...@agliodbs.com) wrote:
>> The local role is preferred, the same way we allow objects in the local
>> schema to overshadow objects in the global schema.
>
> I would think we'd want the exact opposite. I don't want my global
> 'pos
* Josh Berkus (j...@agliodbs.com) wrote:
> The local role is preferred, the same way we allow objects in the local
> schema to overshadow objects in the global schema.
I would think we'd want the exact opposite. I don't want my global
'postgres' user to be overwritten by some local one that the a
Stephen,
> Which is "preferred"
> when you do a 'grant select' or 'grant role'?
The local role is preferred, the same way we allow objects in the local
schema to overshadow objects in the global schema.
> Or do we just disallow
> overlaps between per-DB roles and global roles? If we don't all
On May22, 2012, at 18:03 , Thom Brown wrote:
> On 22 May 2012 16:57, Florian Pflug wrote:
>> On May22, 2012, at 16:09 , Tom Lane wrote:
>>> Thom Brown writes:
Conflicts would occur where localrolename matches an existing local
role name within the same database, or a global role name, b
Thom Brown writes:
> On 22 May 2012 16:57, Florian Pflug wrote:
>> Maybe we could simply make all global role's OIDs even, and all local ones
>> odd, or something like that.
> Wouldn't that instantly make all previous versions of database
> clusters un-upgradable?
IIRC, pg_upgrade doesn't need
On 22 May 2012 16:57, Florian Pflug wrote:
> On May22, 2012, at 16:09 , Tom Lane wrote:
>> Thom Brown writes:
>>> Conflicts would occur where localrolename matches an existing local
>>> role name within the same database, or a global role name, but not a
>>> local role name within another databas
On May22, 2012, at 16:09 , Tom Lane wrote:
> Thom Brown writes:
>> Conflicts would occur where localrolename matches an existing local
>> role name within the same database, or a global role name, but not a
>> local role name within another database. The problem with this,
>> however, is that cre
* Thom Brown (t...@linux.com) wrote:
> Conflicts would occur where localrolename matches an existing local
> role name within the same database, or a global role name, but not a
> local role name within another database. The problem with this,
> however, is that creating global roles would need co
On Tue, May 22, 2012 at 9:37 AM, Thom Brown wrote:
> On 22 May 2012 14:04, Stephen Frost wrote:
>> What would the semantics of that look like though? Which is "preferred"
>> when you do a 'grant select' or 'grant role'? Or do we just disallow
>> overlaps between per-DB roles and global roles?
Thom Brown writes:
> Conflicts would occur where localrolename matches an existing local
> role name within the same database, or a global role name, but not a
> local role name within another database. The problem with this,
> however, is that creating global roles would need conflict checks
> a
On 22 May 2012 14:04, Stephen Frost wrote:
> What would the semantics of that look like though? Which is "preferred"
> when you do a 'grant select' or 'grant role'? Or do we just disallow
> overlaps between per-DB roles and global roles? If we don't allow
> duplicates, I suspect a lot of the o
* Simon Riggs (si...@2ndquadrant.com) wrote:
> * Ability to have a Role that can only access one Database
Alright, I'd like to think about this one specifically and solicit
feedback on the idea that we keep the existing shared role tables but
add on additional tables for per-database roles.
In th
24 matches
Mail list logo
