Changes between Initial Version and Version 1 of Ticket #34200, comment 5
- Timestamp:
- Dec 5, 2022, 11:06:26 PM (22 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34200, comment 5
initial v1 2 2 > Thanks for the ticket, however I don't see anything "straightforward" about this solution, it seems complicated and quite niche. All the role-juggling looks like something the DBA should do, not something that framework is responsible for. 3 3 4 Agreed that the role juggling should be done by a DBA or whomever is responsible for setting up the database but I **do** think it's the job of the framework to assume the correct role at runtime. There's no way for a DBA to force an application to assume a role by default in postgres. Ithas to be done by executing a statement on the newly opened connection.4 Agreed that the role setup should be done by whomever is responsible for managing the database but I **do** think it's the job of the framework to assume the correct role at runtime. There's no way for an administrator to force an application to assume a role by default in postgres. They can assign a role to a role but it's up to the connection owner to actually assume that role, which has to be done by executing a statement on the newly opened connection. 5 5 6 As for niche: in my experience, using ephemeral credentials that are leased from a ( proprietary) credential management system is pretty common in really large companies that have strong controls around accounts and security. Also this is definitely a problem for anyone using Hashicorp Vault for credential management which I would suggest is not particularly niche.6 As for niche: in my experience, using ephemeral credentials that are leased from a (often proprietary) credential management system is pretty common in really large companies that have strong controls around accounts and security. Also this is definitely a problem for anyone using Hashicorp Vault for credential management which I would suggest is not particularly niche. 7 7 8 8 > Also, is it not already possible to `SET ROLE` in `DATABASE["OPTIONS"]`? (see [https://docs.djangoproject.com/en/stable/ref/settings/#std-setting-OPTIONS docs])