maria-discuss team mailing list archive

[Felipe Gasper <felipe@xxxxxxxxxxxxxxxx>]

On 4/23/15 5:48 PM, Geoff Montee wrote:
> I'm not a big fan of this bit from the MySQL documentation:
>
> "When a single account has been granted proxy privileges on more than
> one account, the server mapping is nondeterministic. Therefore,
> granting proxy privileges on multiple accounts to a single account is
> discouraged."
>
> Nondeterministic behavior can be pretty messy. Maybe improving the
> role system to support more use cases would be better than going down
> this route?

Agreed. It should fail, IMO, when you try to add a 2nd PROXY privilege 
to the same user. Very strange design.

> Judging by the original JIRA issue for role support, separating roles
> and user accounts into different namespaces was a design decision:
>
> https://mariadb.atlassian.net/browse/MDEV-4397
>
> It would be nice to have the flexibility to allow roles to log in
> (similar to how PostgreSQL roles can be defined with "WITH LOGIN" role
> attributes), but I'm not sure if MariaDB will get that feature. Maybe
> submit a feature request to our JIRA?

Done: https://mariadb.atlassian.net/browse/MDEV-8047

I’m not sure it’s filed in quite the best way (e.g., it didn’t let me 
select “improvement” as the type); if you have a chance, I’d much 
appreciate checking out that it’s “good to go” for due consideration.

I wonder what the perceived advantage was/is of keeping users and roles 
as separate concepts.

-FG