* David G Johnston (david.g.johns...@gmail.com) wrote:
> I'd rather there be better, more user friendly, SQL-based APIs to the
> permissions system that would facilitate performing and reviewing grants.

This would be *really* nice, I agree.  I've heard tale of people writing
functions that go through the catalog based on a given user and spit
back everything that they have permissions to.  Would be really nice if
we had those kinds of functions built-in.

> If something like IMPERSONATE was added I would strongly suggest a
> corresponding "[NO]IMPERSONATE" for CREATE USER so that the admin can make
> specific roles unimpersonable - and also make SUPERUSER roles unimpersonable
> by rule.

I agree that this would be necessary..  but strikes me as less of a
complete solution than what the existing pg_auth_members approach grants

Perhaps a better idea would be to simply make the bouncer unnecessary by
having a in-PG connection pooler type of system.  That's been discussed
previously and shot down but it's still one of those things that's on my
wish-list for PG.



Attachment: signature.asc
Description: Digital signature

Reply via email to