Participants
Victor Yegorov
Victor Yegorov
Tom Lane
Tom Lane
Jasen Betts
Jasen Betts
Attachments
Show all attachments
Thread Outline
#1Victor YegorovVictor Yegorov
Jun 22, 2012
#2...#3
Tom LaneVictor Yegorov
to Victor Yegorov (#1)
Jun 22, 2012
#2Tom LaneTom Laneto Victor Yegorov (#1)
Jun 22, 2012
#3Victor YegorovVictor Yegorovto Tom Lane (#2)
Jun 22, 2012
#4Jasen BettsJasen Bettsto Victor Yegorov (#1)
Jun 23, 2012

Extensions and roles for access administration

Started by Victor Yegorovalmost 14 years ago4 messagesgeneral
Jump to latest
#1Victor Yegorov
Victor Yegorov
vyegorov@gmail.com

Greetings.

I've developed a small extension, that is essentially a collection of
tables with a bunch of PL/pgSQL functions,
that are API for the whole thing.

Inside the extension script I am creating extra roles, and access to the
extension's functions is provided
using these extra roles.
Given extension is named 'dmf' and one of the roles is 'dmf_user',
administrator has to grant 'dmf_user'
to any user that is eligible to use the provided APIs.

My questions are:
- is this the correct approach to include into extension a set of
administrative roles?
- I've noticed, that after I DROP EXTENSION, all roles are still there in
the database. Is this expected?

--
Victor Y. Yegorov

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Victor Yegorov (#1)
Re: Extensions and roles for access administration

=?UTF-8?B?0JLQuNC60YLQvtGAINCV0LPQvtGA0L7Qsg==?= <vyegorov@gmail.com> writes:

- I've noticed, that after I DROP EXTENSION, all roles are still there in
the database. Is this expected?

Roles are not considered to be part of an extension: they really can't
be, since an extension is local to a database while a role is global to
the whole installation. As per the documentation, you're allowed to do
CREATE ROLE in an extension script but it won't be managed by the
extension mechanism.

Not sure about a better solution to your problem offhand. It might be
sane for the script to do CREATE ROLE IF NOT EXISTS, if we had that,
which we do not :-(

regards, tom lane

#3Victor Yegorov
Victor Yegorov
vyegorov@gmail.com
In reply to: Tom Lane (#2)
Re: Extensions and roles for access administration

Thanks, this clarifies things for me.

There's DROP ROLE IF EXISTS, which I'm using.

2012/6/22 Tom Lane <tgl@sss.pgh.pa.us>

Roles are not considered to be part of an extension: they really can't
be, since an extension is local to a database while a role is global to
the whole installation. As per the documentation, you're allowed to do
CREATE ROLE in an extension script but it won't be managed by the
extension mechanism.

Not sure about a better solution to your problem offhand. It might be
sane for the script to do CREATE ROLE IF NOT EXISTS, if we had that,
which we do not :-(

--
Victor Y. Yegorov

#4Jasen Betts
Jasen Betts
jasen@xnet.co.nz
In reply to: Victor Yegorov (#1)
Re: Extensions and roles for access administration

On 2012-06-22, Виктор Егоров <vyegorov@gmail.com> wrote:

--001636eeeb987f3f6204c31480e9
Content-Type: text/plain; charset=UTF-8

Thanks, this clarifies things for me.

There's DROP ROLE IF EXISTS, which I'm using.

that seems kind of pointless, as, if the role exists and owns anything
it's going to fail.

--
⚂⚃ 100% natural

← Back to Topics