* David G Johnston (david.g.johnston@gmail.com) wrote:
> I'd rather there be better, more user friendly, SQL-based APIs to the
> permissions system that would facilitate performing and reviewing grants.
This would be *really* nice, I agree. I've heard tale of people writing
functions that go through the catalog based on a given user and spit
back everything that they have permissions to. Would be really nice if
we had those kinds of functions built-in.
> If something like IMPERSONATE was added I would strongly suggest a
> corresponding "[NO]IMPERSONATE" for CREATE USER so that the admin can make
> specific roles unimpersonable - and also make SUPERUSER roles unimpersonable
> by rule.
I agree that this would be necessary.. but strikes me as less of a
complete solution than what the existing pg_auth_members approach grants
you.
Perhaps a better idea would be to simply make the bouncer unnecessary by
having a in-PG connection pooler type of system. That's been discussed
previously and shot down but it's still one of those things that's on my
wish-list for PG.
Thanks,
Stephen