Re: [Django] #34200: Allow setting postgres role during connection setup

[Django]

#34200: Allow setting postgres role during connection setup
-------------------------------------+-------------------------------------
     Reporter:  Mike Crute           |                    Owner:  Mike
                                     |  Crute
         Type:  New feature          |                   Status:  closed
    Component:  Database layer       |                  Version:  4.1
  (models, ORM)                      |
     Severity:  Normal               |               Resolution:  needsinfo
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mike Crute):

 Replying to [comment:4 Mariusz Felisiak]:
 > Thanks for the ticket, however I don't see anything "straightforward"
 about this solution, it seems complicated and quite niche. All the role-
 juggling looks like something the DBA should do, not something that
 framework is responsible for.

 Agreed that the role juggling should be done by a DBA or whomever is
 responsible for setting up the database but I **do** think it's the job of
 the framework to assume the correct role at runtime. There's no way for a
 DBA to force an application to assume a role by default in postgres. It
 has to be done by executing a statement on the newly opened connection.

 As for niche: in my experience, using ephemeral credentials that are
 leased from a (proprietary) credential management system is pretty common
 in really large companies that have strong controls around accounts and
 security. Also this is definitely a problem for anyone using Hashicorp
 Vault for credential management which I would suggest is not particularly
 niche.

 > Also, is it not already possible to `SET ROLE` in `DATABASE["OPTIONS"]`?
 (see [https://docs.djangoproject.com/en/stable/ref/settings/#std-setting-
 OPTIONS docs])

 Perhaps I'm missing something but I do not see how this is possible in the
 current settings. The connection setup logic must execute `SET ROLE
 <role>` against a cursor to set the role. It's not a client option that
 can just be passed through as far as I'm aware.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34200#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070184e5d0561f-d20f508b-7031-4c5d-90e4-87ff513fd9ad-000000%40eu-central-1.amazonses.com.