Changes between Version 3 and Version 4 of PgluserAndDice


Ignore:
Timestamp:
Sep 23, 2013, 9:02:32 AM (6 years ago)
Author:
Graham Dutton
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PgluserAndDice

    v3 v4  
    2828 * read-only group membership to users with the 'db/servicedb/ro' capability
    2929
    30 The key to pgluser's ability to manage this structure cleanly is in the division between access control and group membership: by distinguishing between ''group roles'', which are '''manually''' given database, table and column-level permissions; and ''user roles'', which are created and deleted '''automatically''' by pgluser; these represent the users or agents of the system and are given permissions by membership of the appropriate group role^["#p1"]^.
     30The key to pgluser's ability to manage this structure cleanly is in the division between access control and group membership: by distinguishing between ''group roles'', which are '''manually''' given database, table and column-level permissions; and ''user roles'', which are created and deleted '''automatically''' by pgluser; these represent the users or agents of the system and are given permissions by membership of the appropriate group role^[#p1]^.
    3131
    3232
     
    6666A few things worth noting:
    6767 * the use of the substitution parameter {{{%(role)s}}}; this is quoted above, in case usernames turn out to be SQL reserved words.
    68  * the use of the PostgreSQL term {{{INHERIT}}} to explicitly define the role as one which automatically inherits those roles it is granted.  This is important both from a user point of view (though it is the PostgreSQL default) and in more complex configurations, can allow pgluser to distinguish "user" roles from "group" roles^["#p2"]^.
     68 * the use of the PostgreSQL term {{{INHERIT}}} to explicitly define the role as one which automatically inherits those roles it is granted.  This is important both from a user point of view (though it is the PostgreSQL default) and in more complex configurations, can allow pgluser to distinguish "user" roles from "group" roles^[#p2]^.
    6969 * The splitting of {{{CREATE; ALTER}}} and use of {{{REASSIGN OWNED}}} are optional, but can help smooth out edge cases where roles already exist or where ownership isn't as expected.
    7070
     
    8282}}}
    8383
    84 Whether you use {{{users}}} or {{{ignore}}} depends on whether you feel it's pgluser's business to create the user if it is missing.  The {{{postgres}}} role is the only special special case; pgluser always ignores objects with this name, for obvious reasons^["#3"]^.
     84Whether you use {{{users}}} or {{{ignore}}} depends on whether you feel it's pgluser's business to create the user if it is missing.  The {{{postgres}}} role is the only special special case; pgluser always ignores objects with this name, for obvious reasons^[#3]^.
    8585
    8686