Role config per database [was: How to rewrite "Defining Custom Privilege" in version 6.]

[HermanPool]

We had a custom privilege in ldap2pg version 5. See the example: https://ldap2pg.readthedocs.io/en/v5/privileges/

How do implement that in version 6?

with regards, Herman Pool

[bersace]

Hi @HermanPool . This is a regression of ldap2pg 6.0. Can you share your custom privilege to see how you could implement this in 6.0 ?

In 6.0, privileges are distinct from ACL. An ACL retruns all aclitem from a system catalog. A privilege references a privilege type in an ACL.

I plan to add custom ACL so that you can reference more system catalog acls like foreign data wrapper, etc.

Waiting for your use case.

Étienne

[HermanPool]

See the attached zip file for the ldap2pg.yml file ldap2pg.zip

[bersace]

Ok, interesting. You used privileges to configure a role. ldap2pg 6 allows you to configure global role parameters. I suggest to implement per database role parameters.

See https://ldap2pg.readthedocs.io/en/latest/config/#role-options

I suggest the following configuration format :

rules:
- role:
    name: alice
    config:
      __global__:
        log_statement: all
      db1:
        edb_audit_statement: all

What do you think of this ? Do you need LDAP attribute injection in config ?

[HermanPool]

In the attached file is my version 6 yml file. ldap2pg_20231012.zip

The purpose is that everybody in the App_DBApg_ddl , App_DBApg_write and App_DBApg_read group, the value "all" gets for the config property edb_audit_statement. After running ldap2pg, if I login and do a "show edb_audit_statement" , I get the default value "none" where I expected the value "all". I am a member of the App_DBApg_ddl and ldap_roles role in postgres.