On 4/23/15 5:48 PM, Geoff Montee wrote:
I'm not a big fan of this bit from the MySQL documentation:
"When a single account has been granted proxy privileges on more than one account, the server mapping is nondeterministic. Therefore, granting proxy privileges on multiple accounts to a single account is discouraged."
Nondeterministic behavior can be pretty messy. Maybe improving the role system to support more use cases would be better than going down this route?
Agreed. It should fail, IMO, when you try to add a 2nd PROXY privilege to the same user. Very strange design.
Judging by the original JIRA issue for role support, separating roles and user accounts into different namespaces was a design decision:
https://mariadb.atlassian.net/browse/MDEV-4397
It would be nice to have the flexibility to allow roles to log in (similar to how PostgreSQL roles can be defined with "WITH LOGIN" role attributes), but I'm not sure if MariaDB will get that feature. Maybe submit a feature request to our JIRA?
Done: https://mariadb.atlassian.net/browse/MDEV-8047 I’m not sure it’s filed in quite the best way (e.g., it didn’t let me select “improvement” as the type); if you have a chance, I’d much appreciate checking out that it’s “good to go” for due consideration. I wonder what the perceived advantage was/is of keeping users and roles as separate concepts. -FG