Hi, Felipe! On Apr 24, Felipe Gasper wrote:
On 4/23/15 5:48 PM, Geoff Montee wrote:
I'm not a big fan of this bit from the MySQL documentation:
"When a single account has been granted proxy privileges on more than one account, the server mapping is nondeterministic. Therefore, granting proxy privileges on multiple accounts to a single account is discouraged."
Nondeterministic behavior can be pretty messy. Maybe improving the role system to support more use cases would be better than going down this route?
Agreed. It should fail, IMO, when you try to add a 2nd PROXY privilege to the same user. Very strange design.
That's because they're abusing the PROXY privilege. PROXY privilege is exactly that, a *privilege* - it allows a given user to pretend that he's some other given user. What user should it be - this is defined by a plugin. A plugin says "let's Alice be Bob for this session". And DBMS checks whether Alice is allowed to be Bob. And, naturally, there can be many proxies granted to the same user. Alice might also be allowed to be Carol and Dave, but not Eve. PROXY privilege was never supposed to be an *instruction* of what a user will be. When you grant a SELECT privilege on a table to someone, this someone doesn't get the table dumped out to him every time he connects, does he? :) A privilege is not an instruction, it doesn't tell what to do, only what you can do.
It would be nice to have the flexibility to allow roles to log in (similar to how PostgreSQL roles can be defined with "WITH LOGIN" role attributes), but I'm not sure if MariaDB will get that feature. Maybe submit a feature request to our JIRA?
Done: https://mariadb.atlassian.net/browse/MDEV-8047
I’m not sure it’s filed in quite the best way (e.g., it didn’t let me select “improvement” as the type)
You've done it correctly, the type "Task" is what it should be.
I wonder what the perceived advantage was/is of keeping users and roles as separate concepts.
I think that's what SQL standard says. We've implemented roles in 10.0 looking into the standard and following it almost up to the letter. In 10.1 we've added an extension - default roles. We can add another extention, that's surely possible. Regards, Sergei