Обсуждение: CUG

Hi,

what would be the best way to implement a closed user group in an app
with postgresql ?

The app will be a cgi, so there will be an enormous number of
'guest'-users.

Groups should be containable in other groups (AFAIK this is not possible
in
postgresql's group management).

Up to now I had my own user/group management (one col per table
indicating the
group which has read-access).
It was easy to check permissions in my app and in WHERE clauses.
But now I need groups of groups which needs some kind of recursion.
Therefore I would write a (recursive) plpgsql function which I can use
in my app
and in arbitrary sql-queries' WHERE clauses.

Q: Before I do this, I would like to know whether this is the correct
approach.
Q: Should I use the built in user/group features ? (If not: What are
they there for?)
Q: Are there other mechanisms to handle tree-structures ? With properly
defined
   REFERENCES this should be possible (?) The only hints on recursions
and postgresql
   where features to AVOID recursion :((((((

TIA

--
 Nabil Sayegh
 GPG-Key available at http://www.sayegh.de
 (see http://www.gnupg.org for details)

On Sat, 3 Feb 2001, Nabil Sayegh wrote:

> what would be the best way to implement a closed user group in an app
> with postgresql ?

You really need to give us more details.
If it is something like a forum/bulleting board/ or something like
egroups, then your best bet by far is to start off existing code. Don't
see the point on re-inventing the wheel from scratch.


> Groups should be containable in other groups (AFAIK this is not possible
> in  postgresql's group management).

The groups managmenent of the database is to manage rights. I really don't
think you want to use db groups for your projects.  I even think you won't
need more than one DB user for the project.


> Up to now I had my own user/group management (one col per table
> indicating the  group which has read-access).
> It was easy to check permissions in my app and in WHERE clauses.
> But now I need groups of groups which needs some kind of recursion.

I see no problems with that.
There are several not too difficult ways to implement this, but you need
to give us more details. I personally don't see the benefit AT ALL on
using recursion. If someone needs access to different things which
different groups have access to, then you add that person to the different
groups which have ther proper rights.

Perhaps I don't know enough about what you are trying to do, but recursion
does not sound like the right thing to use.


> Q: Before I do this, I would like to know whether this is the correct
> approach.

I don't think so.

> Q: Should I use the built in user/group features ? (If not: What are
> they there for?)

To determine who has rights and what type of rights to particular tables.


> Q: Are there other mechanisms to handle tree-structures ? With properly
> defined REFERENCES this should be possible (?)

Don't really see why you would need tree structures for an access policy
type of databases.

 The only hints on recursions
> and postgresql where features to AVOID recursion :((((((

Right now I can not think of many instances where recursion can make your
life easier in databases.

Moreover from what you are describing it sounds like your design is not
clear in terms of what each part should do. A database is not a
programming environment. It is a place to efficiently store and access
data. Recursion is a programming concept which can be implemented in many
different ways and without direct connection to how data is stored.

Again if you give us more info about your goals we may be able to provide
with better feedback.

Francisco Reyes wrote:
> I see no problems with that.
> There are several not too difficult ways to implement this, but you need
> to give us more details. I personally don't see the benefit AT ALL on
> using recursion. If someone needs access to different things which
> different groups have access to, then you add that person to the different
> groups which have ther proper rights.

If e.g. I want to restrict access to pictures to groups:

pics:
id    | group
-------------
1     | guest
2     | guest
3     | guest
4     | family
5     | friend
6     | friend
7     | family
8     | colleague
9     | guest

groups:
id       | parent_id
--------------------
guest    | NULL
friend   | guest
family   | friend
colleague| guest

assigned_groups:
user_id  | group_id
---------------------
Stefan   | colleague
Stefan   | friend
Patrick  | friend
1        | guest
2        | guest
3        | guest
Peter    | family

> Perhaps I don't know enough about what you are trying to do, but recursion
> does not sound like the right thing to use.

It's clear that everybody has the permissions that guests have.
Members of family shall also(automatically) have the permissions
that friends have ...
I want the same group management like under unix.

> > Q: Should I use the built in user/group features ? (If not: What are
> > they there for?)
> To determine who has rights and what type of rights to particular tables.

Okay, then I have to implement it in the app.

> Don't really see why you would need tree structures for an access policy
> type of databases.
> Right now I can not think of many instances where recursion can make your
> life easier in databases.

How shall I know that family may see 'guest-pictures' ?

Without groups in groups its easy to SELECT the pictures somebody has
access to,
but with ?
It isn't convenient having to put every user to all groups he has access
to.
What if later I want to give all colleagues the rights that my
friends have (stupid example, I know ...)

> Again if you give us more info about your goals we may be able to provide
> with better feedback.

thx

--
 Nabil Sayegh
 GPG-Key available at http://www.sayegh.de
 (see http://www.gnupg.org for details)

On Sat, 3 Feb 2001, Nabil Sayegh wrote:

> It's clear that everybody has the permissions that guests have.
> Members of family shall also(automatically) have the permissions
> that friends have ...

I thought you wanted something more complex. From what I understand you
could implement "levels". When you put a picture you indicate what level
the person needs.

A picture with level 0 can be seen by anybody. A picture with level 1 can
be seen by anyone with leve 1 and above.. Get it?


> I want the same group management like under unix.

Not really. :-)

> How shall I know that family may see 'guest-pictures' ?

The "level" scheme accomplishes this.

> Without groups in groups its easy to SELECT the pictures somebody has
> access to, but with ?

> What if later I want to give all colleagues the rights that my
> friends have (stupid example, I know ...)

Another way which is more flexible, although a bit more complex, is to
allow someone to belong to different groups and to have each picture
allowable to more than one group.

Something like

--picture table
pictureID    Description
1        graduation
2        dance party
3        at the library
4        getting out of shower
5        nude

--group table
groupID        Description
1        Guest
2        friends
3        girlfriend

--user table
personID    groupID
1        guest
2        friend
3        girlfriend


-user_group
userID    groupID
1    1
2    1
2    2
3    3

--Picture table
pictureID  groupID
1        1
2        1
3        1
4        2
5        3

That should work for what you described with no problems (except if you
have more than one user on the girlfriend category, then you could
eventually have serious problems with this setup) <G>

The query for a setup like this would be a 3 way join between user, group
and the picture table. Something like

select picture.PictureID, from picture, user_group where
userVAR = user_group.userID and user_group.groupID = picture.groupID

I didn't test the query and didn't looked at it for too long, but it would
be something simmilar if not that.

Based on you request I think the "levels" is by far the easiest way to
accomplish what I understood you asked for.

Hope this helped.

Thanks for the quick responses ...

Francisco Reyes wrote:
> I thought you wanted something more complex. From what I understand you
> could implement "levels". When you put a picture you indicate what level
> the person needs.

Actually it will be a content management system, so it should be
abstract enough to
adapt to the customer's needs.

> A picture with level 0 can be seen by anybody. A picture with level 1 can
> be seen by anyone with leve 1 and above.. Get it?

Okay, this could be an option, perhaps it's best to implement several
different
mechanisms from which the customer may choose.

> Another way which is more flexible, although a bit more complex, is to
> allow someone to belong to different groups and to have each picture
> allowable to more than one group.

That's the state of affairs. Now I want to attach group girlfriend(s) to
group friends
so that if I add new pictures and give them the group friends my girl
may see it,
!!!without_explicitly_mentioning!!!
So far so good, here the level scheme could work, but ...

                   guest
                     |
                  friend
              /             \
        family            colleague
           |              /       \
      girlfriend       team1    team2

Business stuff is confidential and must not be seen even by my family.

It's like attaching the (unix-)group users to the group audio.

> --picture table
> --group table
> --user table
> --user_group
> --Picture table

> That should work for what you described with no problems (except if you
> have more than one user on the girlfriend category, then you could
> eventually have serious problems with this setup) <G>

(Thats just a matter of time-management ;^)

I would like to add another table group_group and this puzzles me
because I would need to recurse.

Perhaps It could be done transparent to the customer by adding triggers
which automatically add a new user to all necessary groups via
prototypes but
it would be hard to manage if they decide to give/take away permissions
from one group.

I think I will try a plpgsql function which descends the group tree till
NULL or success.
But this would restrict me to postgresql ... Is plpgsql available for
other DBs ?

cu

--
 Nabil Sayegh
 GPG-Key available at http://www.sayegh.de
 (see http://www.gnupg.org for details)

Hi, list...

Well, many providers do support mysql. Some of them do this even for
free. Some do support java servlets / jsp as well. Some of them are
free also.

But it seems to be difficult to
find a hosting provider who supports postgresql.

So, if anyone can give me a hint to find a free/cheap and/or reliable
hosting provider, i would appreciate it..

What I'm looking for (in desc. order...:)

1. Provider w. postgresql hosting + Java/Servlet/JSP-Support + for
free

2. Provider w. postgresql hosting + Java/Servlet/JSP-Support + for
a reasonable price

3. Provider w. postgresql hosting for free

4. Provider w. postgresql hosting for a reasonable price

Is there any complete list of providers supporting pgsql on the
web...?

--
Best regards,
 Bruno                            mailto:bruno@dickhoff.de

On Sun, 4 Feb 2001, Bruno Dickhoff wrote:

> 4. Provider w. postgresql hosting for a reasonable price

Have not used them yet, but considering..
hub.org

On the Docs section it mentions "java servlets " soon... So if they will
have that in the docs soon, they may already suppor them.

Good luck.

On Sun, 4 Feb 2001, Nabil Sayegh wrote:

> Okay, this could be an option, perhaps it's best to implement several
> different
> mechanisms from which the customer may choose.

I highly recommend to pick a method and stick to it. I continue to think
that you are trying to use canons to kill mosquitos. In other words that
you are over designing this. Again maybe I don't really understand what
you are trying to do, but what you describe as your needs and what you
describe as your solutions seem to have a very big gap between what is
needed and what you are trying to implement.


> That's the state of affairs. Now I want to attach group girlfriend(s) to
> group friends so that if I add new pictures and give them the group friends my girl
> may see it,
> !!!without_explicitly_mentioning!!!

This makes 0 sense to me. If you want your girlfriend to see the pictures
that friends can see, add her to the friend group.

> I would like to add another table group_group and this puzzles me
> because I would need to recurse.

I still don't see what recursion would get you except tons of more chances
to screw up the design, lengthen development and increase chances of
having to scrap the whole thing and do it from scratch at a later date.


> Perhaps It could be done transparent to the customer by adding triggers
> which automatically add a new user to all necessary groups via

Again... my suggestion is:
-A picture can be specified to be seen by different groups.
-Put whoever you want to see the picture in the appropriate group(s)

If you want all member of Group A to see the same pictures that Group B
can see simply select the ID of all pictures visible by Group G and create
records for Group A to be able to see the same pictures.

Hi,

I'm from hub, use us :) {shameless plug}

Seriously tho, we do support PostgreSQL fully, and we have
just installed Jakarta Tomcat.

(oh, and upgraded all servers to 1 gig ram last week)

Jeff

On Sun, 4 Feb 2001, Francisco Reyes wrote:

> On Sun, 4 Feb 2001, Bruno Dickhoff wrote:
>
> > 4. Provider w. postgresql hosting for a reasonable price
>
> Have not used them yet, but considering..
> hub.org
>
> On the Docs section it mentions "java servlets " soon... So if they will
> have that in the docs soon, they may already suppor them.
>
> Good luck.
>

Jeff MacDonald,

-----------------------------------------------------
PostgreSQL Inc        | Hub.Org Networking Services
jeff@pgsql.com        | jeff@hub.org
www.pgsql.com        | www.hub.org
1-902-542-0713        | 1-902-542-3657
-----------------------------------------------------
Facsimile : 1 902 542 5386
IRC Nick  : bignose
PGP Public Key : http://bignose.hub.org/public.txt

Francisco Reyes wrote:

> I highly recommend to pick a method and stick to it. I continue to think
> that you are trying to use canons to kill mosquitos. In other words that
> you are over designing this. Again maybe I don't really understand what
> you are trying to do, but what you describe as your needs and what you
> describe as your solutions seem to have a very big gap between what is
> needed and what you are trying to implement.

I think you're right.
I will write some insert/delete-by-prototype functions to simplify the
administration tasks.

cu

--
 Nabil Sayegh
 GPG-Key available at http://www.sayegh.de
 (see http://www.gnupg.org for details)

Jeff MacDonald wrote:
>
> Hi,
>
> I'm from hub, use us :) {shameless plug}
>
> Seriously tho, we do support PostgreSQL fully, and we have
> just installed Jakarta Tomcat.
>
> (oh, and upgraded all servers to 1 gig ram last week)

Another one is mmaweb.net

--
____________________________________________________________
Glenn Holmer                          gholmer@weycogroup.com
Programmer/Analyst                       phone: 414.908.1809
Weyco Group, Inc.                          fax: 414.908.1601