php - Should I use Postgres's roles system for a web app's user management? -


postgres has featured user management system. why should duplicate functionality , use 1 on top of that? , think right place manage users & groups allows fine-grained control. wrong? there php libraries have done that?
should add app in question not public web-site, corporate app working in private network.

i advocate application designers make use of postgresql's users , role system ... number of reasons having 1:1 mapping of app users database users not practical.

  • postgresql roles shared across all databases (though don't have granted rights on except one)

  • you can't have foreign key reference normal application table postgresql user table

  • there's no function or other interface authenticate user password. have make new connection authenticate password. breaks connection pooling.

instead, advise use couple of roles in database:

  • a database owner role. user/role owns database , tables within it. scripts change database structure ("migrations" , on) run user.

  • a webapp role. role app connects when establishing pooled connections. granted access app needs when running day day. can't change table structure, drop tables, etc. if table supposed append-only don't grant update rights role.

  • (possibly) maintenance roles scripts, etc, have limited access need task.

you manage application users normal tables.

sometimes want additional database roles particular categories of user. can handy if you're dealing apps different privilege levels, departments, etc. webapp can set role switch roles, if "joe" connects , know "joe" in accounts, "set role accounts" before running queries joe. more advanced, , people don't need it.

the main time think using postgresql user management directly makes sense when app has quite complex access requirements , doesn't need huge profusion of different users (thousands, rather millions). webapps i'd stick normal database tables , separate "db admin"role webapp connection pool role.


Comments

Popular posts from this blog

python - pip install -U PySide error -

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -