Code review comment for lp:~clint-fewbar/drizzle/authorize-default-deny

On Thu, 2011-02-24 at 08:59 +0000, Olaf van der Spek wrote:
> > One of the original goals was to allow people who don't use any authentication
> > what so ever to have a zero cost auth if they don't use it.
>
> An "Always Allow" plugin has minimal overhead and allows for a safe default.

Essentially this exists by making the default allow. Those concerned
with harsher controls can use --authorize-default-deny and configure
their authorization plugin accordingly.

>
> > I suspect what a distribution would do is install a default plugin, maybe one
> > for instance which just does localhost and limits a user based on their login
> > information (ie grab the username and then use that as the credentials).
>

I am doing this work specifically for the packaging in Ubuntu and
Debian. The simple_user_policy with auth_file is good enough for most
apps, but there is a need for a backup-everything user.... rather than
rely on the literal "root" and all the privilege it brings.. it makes
sense to have another set of rules defined elsewhere...

> Is such a plugin available yet?

I'm writing a regex based plugin that just does simple user to
table/schema/process mapping to either ACCEPT or DENY

The idea is that one can have the simple user policy and the regex based
policy, and this flag allows you to control how they work together.