Participants
Александр Аникин
Александр Аникин
Nasby, Jim
Nasby, Jim
Scott Whitney
Scott Whitney
Keith Fiske
Keith Fiske
Attachments

No attachments in this thread

Thread Outline
#1...#2
Александр АникинNasby, Jim
Sep 27, 2018
#1Александр АникинАлександр Аникин
Sep 27, 2018
#2Nasby, JimNasby, Jimto Александр Аникин (#1)
Oct 05, 2018
#3Scott WhitneyScott Whitneyto Nasby, Jim (#2)
Oct 05, 2018
#4...#5
Keith FiskeАлександр Аникин
to Nasby, Jim (#2)
Oct 05, 2018
#4Keith FiskeKeith Fisketo Nasby, Jim (#2)
Oct 05, 2018
#5Александр АникинАлександр Аникинto Keith Fiske (#4)
Oct 08, 2018

Create roles trigger

Started by Александр Аникинover 7 years ago5 messages
#1Александр Аникин
Александр Аникин
anikin24@list.ru

Hey, folks!
I've got a question about events on roles creation.
I need to execute some custom logic on role creation.
All information about roles located in `pg_authid` table.
The first thing that comes to mind is to create trigger on `pg_authid` table, but this is not possible, because this is a system table.
Next thing, is to create a view (select * from pg_authid) and create trigger on view, but this didn't work out too.

One more thing is to create event trigger (CREATE EVENT TRIGGER trigger ON ddl_command_start WHEN TAG IN ('CREATE ROLE')), but it's also not possible, event triggers are not supported for 'CREATE ROLE'.
Is there is any possibility to do that ? May be, create custom extension or something else.

#2Nasby, Jim
Nasby, Jim
nasbyj@amazon.com
In reply to: Александр Аникин (#1)
Re: Create roles trigger

Please do not post to multiple lists. Moving -hackers to BCC.

On Sep 27, 2018, at 4:07 AM, Александр Аникин <anikin24@list.ru> wrote:

Hey, folks!

I've got a question about events on roles creation.

I need to execute some custom logic on role creation.

All information about roles located in `pg_authid` table.
The first thing that comes to mind is to create trigger on `pg_authid` table, but this is not possible, because this is a system table.
Next thing, is to create a view (select * from pg_authid) and create trigger on view, but this didn't work out too.

Not sure what you were attempting with the view, but catalog tables are a special case, so those kind of tricks are straight-out not going to work.

One more thing is to create event trigger (CREATE EVENT TRIGGER trigger ON ddl_command_start WHEN TAG IN ('CREATE ROLE')), but it's also not possible, event triggers are not supported for 'CREATE ROLE'.

Is there is any possibility to do that ? May be, create custom extension or something else.

I would also love to have event triggers for global objects, but unfortunately that’s a very tough nut to crack, because changes to global objects could happen from any database in the entire system (which could easily number in the thousands). For global event triggers to work, there would need to be a global list of event triggers, including which database the event trigger was in. There would also need to be a way to fire those triggers (currently, a backend can not run anything in a separate database). You’d also face the challenge of whether the user running the event trigger had permission to connect to all of those databases.

In short, there’s a lot of work left to be done in order to support what you’re looking for.

BTW, if you only need auditing then you should take a look at pg_audit.

#3Scott Whitney
Scott Whitney
scott@journyx.com
In reply to: Nasby, Jim (#2)
Re: Create roles trigger

Honestly, this is a perfect use-case for calling shell scripts.
________________________________
From: Nasby, Jim <nasbyj@amazon.com>
Sent: Friday, October 5, 2018 3:26:22 PM
To: Александр Аникин
Cc: borey2005@gmail.com; pgsql-admin@postgresql.org
Subject: Re: Create roles trigger

Please do not post to multiple lists. Moving -hackers to BCC.

On Sep 27, 2018, at 4:07 AM, Александр Аникин <anikin24@list.ru> wrote:

Hey, folks!

I've got a question about events on roles creation.

I need to execute some custom logic on role creation.

All information about roles located in `pg_authid` table.
The first thing that comes to mind is to create trigger on `pg_authid` table, but this is not possible, because this is a system table.
Next thing, is to create a view (select * from pg_authid) and create trigger on view, but this didn't work out too.

Not sure what you were attempting with the view, but catalog tables are a special case, so those kind of tricks are straight-out not going to work.

One more thing is to create event trigger (CREATE EVENT TRIGGER trigger ON ddl_command_start WHEN TAG IN ('CREATE ROLE')), but it's also not possible, event triggers are not supported for 'CREATE ROLE'.

Is there is any possibility to do that ? May be, create custom extension or something else.

I would also love to have event triggers for global objects, but unfortunately that’s a very tough nut to crack, because changes to global objects could happen from any database in the entire system (which could easily number in the thousands). For global event triggers to work, there would need to be a global list of event triggers, including which database the event trigger was in. There would also need to be a way to fire those triggers (currently, a backend can not run anything in a separate database). You’d also face the challenge of whether the user running the event trigger had permission to connect to all of those databases.

In short, there’s a lot of work left to be done in order to support what you’re looking for.

BTW, if you only need auditing then you should take a look at pg_audit.

[http://journyx.com/emailImages/ScottWhitney.png]

[http://journyx.com/emailImages/linkedin.png]&lt;https://www.linkedin.com/company/journyx-inc/&gt; [http://journyx.com/emailImages/twitter.png] <https://www.twitter.com/journyxinc&gt;
[http://journyx.com/emailImages/bluebar.jpg]

Scott Whitney
Director of IT

[http://journyx.com/emailImages/journyx.jpg]

scott@journyx.com<mailto:scott@journyx.com> | +1 (800) 755-9878

7600 Burnet Road, Ste. 300
Austin, TX 78757

Visit us at www.journyx.com<https://www.journyx.com/&gt;

To unsubscribe from Journyx promotional emails, click here <http://journyx.com/communication-preferences&gt; or visit http://journyx.com/communication-preferences.

#4Keith Fiske
Keith Fiske
keith.fiske@crunchydata.com
In reply to: Nasby, Jim (#2)
Re: Create roles trigger

On Fri, Oct 5, 2018 at 4:26 PM Nasby, Jim <nasbyj@amazon.com> wrote:

Please do not post to multiple lists. Moving -hackers to BCC.

On Sep 27, 2018, at 4:07 AM, Александр Аникин <anikin24@list.ru> wrote:

Hey, folks!

I've got a question about events on roles creation.

I need to execute some custom logic on role creation.

All information about roles located in `pg_authid` table.
The first thing that comes to mind is to create trigger on `pg_authid`

table, but this is not possible, because this is a system table.

Next thing, is to create a view (select * from pg_authid) and create

trigger on view, but this didn't work out too.

Not sure what you were attempting with the view, but catalog tables are a
special case, so those kind of tricks are straight-out not going to work.

One more thing is to create event trigger (CREATE EVENT TRIGGER trigger

ON ddl_command_start WHEN TAG IN ('CREATE ROLE')), but it's also not
possible, event triggers are not supported for 'CREATE ROLE'.

Is there is any possibility to do that ? May be, create custom extension

or something else.

I would also love to have event triggers for global objects, but
unfortunately that’s a very tough nut to crack, because changes to global
objects could happen from any database in the entire system (which could
easily number in the thousands). For global event triggers to work, there
would need to be a global list of event triggers, including which database
the event trigger was in. There would also need to be a way to fire those
triggers (currently, a backend can not run anything in a separate
database). You’d also face the challenge of whether the user running the
event trigger had permission to connect to all of those databases.

In short, there’s a lot of work left to be done in order to support what
you’re looking for.

BTW, if you only need auditing then you should take a look at pg_audit.

Perhaps if you share what sorts of things you're trying to do on role
creation, someone could provide a different method that may work for what
you're trying to do. For example, if you're just trying to manage
privileges, you could use the DEFAULT PRIVILEGES system to manage that.

https://www.postgresql.org/docs/current/static/sql-alterdefaultprivileges.html

--
Keith Fiske
Senior Database Engineer
Crunchy Data - http://crunchydata.com

#5Александр Аникин
Александр Аникин
anikin24@list.ru
In reply to: Keith Fiske (#4)
Re[2]: Create roles trigger

Guys, thank You for your replies.

 Not sure what you were attempting with the view, but catalog tables are a special case, so those kind of tricks are straight-out not going to work.

I attempt to create trigger on a view (select * from pg_authid). But this did not work out. 

 Perhaps if you share what sorts of things you're trying to do on role creation, someone could provide a different method that may work for what you're trying to do.

My goal is to sync roles between PostgreSQL and PgPool. PgPool uses separate file for auth (pool_passwd). 

Right now I have script, that every 5 seconds check the diff in roles.

Пятница, 5 октября 2018, 23:44 +03:00 от Keith Fiske <keith.fiske@crunchydata.com>:

On Fri, Oct 5, 2018 at 4:26 PM Nasby, Jim < nasbyj@amazon.com > wrote:

Please do not post to multiple lists. Moving -hackers to BCC.

On Sep 27, 2018, at 4:07 AM, Александр Аникин < anikin24@list.ru > wrote:

Hey, folks!

I've got a question about events on roles creation.

I need to execute some custom logic on role creation.

All information about roles located in `pg_authid` table.
The first thing that comes to mind is to create trigger on `pg_authid` table, but this is not possible, because this is a system table.
Next thing, is to create a view (select * from pg_authid) and create trigger on view, but this didn't work out too.

Not sure what you were attempting with the view, but catalog tables are a special case, so those kind of tricks are straight-out not going to work.

One more thing is to create event trigger (CREATE EVENT TRIGGER trigger ON ddl_command_start WHEN TAG IN ('CREATE ROLE')), but it's also not possible, event triggers are not supported for 'CREATE ROLE'.

Is there is any possibility to do that ? May be, create custom extension or something else.

I would also love to have event triggers for global objects, but unfortunately that’s a very tough nut to crack, because changes to global objects could happen from any database in the entire system (which could easily number in the thousands). For global event triggers to work, there would need to be a global list of event triggers, including which database the event trigger was in. There would also need to be a way to fire those triggers (currently, a backend can not run anything in a separate database). You’d also face the challenge of whether the user running the event trigger had permission to connect to all of those databases.

In short, there’s a lot of work left to be done in order to support what you’re looking for.

BTW, if you only need auditing then you should take a look at pg_audit.

Perhaps if you share what sorts of things you're trying to do on role creation, someone could provide a different method that may work for what you're trying to do. For example, if you're just trying to manage privileges, you could use the DEFAULT PRIVILEGES system to manage that.

https://www.postgresql.org/docs/current/static/sql-alterdefaultprivileges.html

--
Keith Fiske
Senior Database Engineer
Crunchy Data - http://crunchydata.com

--
Александр Аникин

← Back to Topics