Hello, Mark!
2008/5/20 Mark Callaghan <mcallaghan@stripped>:
> On Mon, May 19, 2008 at 11:33 PM, Sergey Kudriavtsev
> <sergey.kudriavtsev@stripped> wrote:
>> Hello, everyone.
>>
>> So, I'm going to implement some basic role functionality in another two weeks.
>>
>> Exactly, I'm planning to do the following:
>>
>> 1. Add new necessary fields to mysql.user table:
>>
>> Default_role char(16) binary;
>> Comment varchar(50);
>> Create_role_priv enum('N','Y') character set utf8 NOT NULL default 'N';
>> Drop_role_priv enum('N','Y') character set utf8 NOT NULL default 'N'.
>>
>> To distinguish roles from users I propose to use "Host" field of
>> mysql.user table - If this field is empty then we should consider the
>> specified record to be a role.
>> Now empty field is equivalent to '%'. I will change the behaviour of
>> parser to always fail host identity check when the checked field has
>> empty value. I will also change mysql_fix_privilege_tables script to
>> replace all existing empty "Host" field values with '%'.
>
> I think it is a bad idea to overload the Host field in this manner.
> This will confuse people. Anyone who looks at the DDL for the table
> will have no idea that this had been done. It will also increase
> support costs for MySQL. Why not add the column "Is_role enum('N',
> 'Y')"? You are already making many other changes.
>
OK, as I see from feedback this is the most preferable way :) But I'll also
have to add the same column to mysql.tables_priv,procs_priv and
columns_priv tables in order to make this construction consistent.
> When a user connects and has a default role, does the connection use
> the merged privileges of the user and role?
Yes.
> When a user switches to a role, does the connection use the merged
> privileges of the user and role?
>
Yes.
[skipped]
> Does SHOW PROCESSLIST display the role or the user name used for authentication?
>
> If SHOW PROCESSLIST displays the user name, what command can I run to
> display the user name and role per connection?
>
I really didn't think about it, thanks for the tip :). I will
definitely modify the corresponding
table in INFORMATION_SCHEMA database, but I'll consider modifying
SHOW PROCESSLIST statement also.
--
Life is good! And good life is even better...
