Thread: Extensions and roles for access administration
Greetings.
--
Victor Y. Yegorov
I've developed a small extension, that is essentially a collection of tables with a bunch of PL/pgSQL functions,
that are API for the whole thing.
Inside the extension script I am creating extra roles, and access to the extension's functions is provided
using these extra roles.
Given extension is named 'dmf' and one of the roles is 'dmf_user', administrator has to grant 'dmf_user'
to any user that is eligible to use the provided APIs.
My questions are:
- is this the correct approach to include into extension a set of administrative roles?
- I've noticed, that after I DROP EXTENSION, all roles are still there in the database. Is this expected?
Victor Y. Yegorov
=?UTF-8?B?0JLQuNC60YLQvtGAINCV0LPQvtGA0L7Qsg==?= <vyegorov@gmail.com> writes:
> - I've noticed, that after I DROP EXTENSION, all roles are still there in
> the database. Is this expected?
Roles are not considered to be part of an extension: they really can't
be, since an extension is local to a database while a role is global to
the whole installation. As per the documentation, you're allowed to do
CREATE ROLE in an extension script but it won't be managed by the
extension mechanism.
Not sure about a better solution to your problem offhand. It might be
sane for the script to do CREATE ROLE IF NOT EXISTS, if we had that,
which we do not :-(
regards, tom lane
Thanks, this clarifies things for me.
--
Victor Y. Yegorov
There's DROP ROLE IF EXISTS, which I'm using.
2012/6/22 Tom Lane <tgl@sss.pgh.pa.us>
Roles are not considered to be part of an extension: they really can't
be, since an extension is local to a database while a role is global to
the whole installation. As per the documentation, you're allowed to do
CREATE ROLE in an extension script but it won't be managed by the
extension mechanism.
Not sure about a better solution to your problem offhand. It might be
sane for the script to do CREATE ROLE IF NOT EXISTS, if we had that,
which we do not :-(
Victor Y. Yegorov
On 2012-06-22, Виктор Егоров <vyegorov@gmail.com> wrote: > --001636eeeb987f3f6204c31480e9 > Content-Type: text/plain; charset=UTF-8 > > Thanks, this clarifies things for me. > > There's DROP ROLE IF EXISTS, which I'm using. > that seems kind of pointless, as, if the role exists and owns anything it's going to fail. -- ⚂⚃ 100% natural