| Subject | RE: [Firebird-Architect] Re: User name SYSDBA |
|---|---|
| Author | Leyne, Sean |
| Post date | 2005-08-10T02:10:05Z |
Dave,
Your comments are appreciated.
would create.
But it seems we are talking about two different problems.
The application will need to know the user's security in order to limit
the functions available.
data going to be stored?
I know that you're not suggesting that I can login as user "Sean" with
the role "SysAdmin" at my whim.
(replacing the password database), I don't see how it can take over the
management of user/role/group management. Perhaps I need to be shown
the light.
Sean
Your comments are appreciated.
> The user logs into the web application, but for any given transactionUnderstood and can see the problems which opening individual connections
> they will be using one of about 50 connections from a pool that is
> shared with 1000 concurrent users.
would create.
But it seems we are talking about two different problems.
> In micro-scaled systems, the nominal cost of making and breaking...
> connections is just that - nominal.
> When you add the overheads ofI agree and this is something that will be worked on.
> preparing queries to every connection, it becomes quite serious,
> particularly on wIntel type hardware.
> Behind the scenes, the millions of people viewing and posting to theCompletely agree!
> Yahoo groups application via either the web or the email interfaces
> are using a small pool of just a few hundred dedicated connections to
> the backing database. The connection I retrieved data on is unlikely
> to be the connection that I post this reply on.
> Yahoo's security model is primarily implemented in theirI don't see that as being true.
> application. It is likely that a person with knowledge of the one ID
> and password that the application uses would have god-like authority
> on the data in the DBMS that backs this email group.
>
> With Jim's proposed model, the application does not need to know the
> user's security any more.
The application will need to know the user's security in order to limit
the functions available.
> The application only needs to know theBut the user must the validated for the role; where is this validation
> user and the role that the user wants, and to provide that with the
> start-transaction information.
data going to be stored?
I know that you're not suggesting that I can login as user "Sean" with
the role "SysAdmin" at my whim.
> The PAM approach means that low-end systems can use lighter weightI can see how PAM can perform database **access** authorization
> security, while larger and more robust security requirements can be
> enforced in the DBMS with minimum impact on performance.
(replacing the password database), I don't see how it can take over the
management of user/role/group management. Perhaps I need to be shown
the light.
Sean