The first thing I will say here is that you really need to encapsulate this properly to make it work. Secondly this is a good case where breaking 1NF is likely to be a good thing performance-wise.
I would break this into three pieces, totally mangling Codd's rules in the process, but I think those can be broken in certain cases and here breaking one piece demands breaking more pieces in order to correct the damage.
The first piece is the administration portion. In this portion, permissions are stored in the form you are currently using. This is used for updating and managing the permissions in a relational way. These would then be compiled for a specific row using a stored procedure.
The second piece is the storage piece. Here the rows are stored with the roles in an array as you suggest in your first answer. The arrays here are indexed using GIN which makes lookups a lot faster.
Third, you need encapsulation logic, such as views to only retrieve the rows a user has access to, or a stored procedure interface which checks the roles adding WHERE my_role_id = ANY(roles) to the end of the query.
To make this work you will need to compile the permissions when they are changed. However this structure allows you to say "all rows that Bob has access to can now be accessed by Joe."
CREATE TABLE foo (
id serial not null unique,
....
roles int[]
);
CREATE TABLE foo_roles (
foo_id int not null references foo(id),
role_id int not null references roles(id)
);
CREATE OR REPLACE FUNCTION rebuild_foo_roles(in_foo_id int) RETURNS int[]
LANGUAGE SQL AS $$
UPDATE foo SET roles = (select array_agg(role_id) from foo_roles
where foo_id = $1)
WHERE role_id = $1
RETURNING roles;
$$;
Then you'd update the permissions by altering the data in foo_roles and then calling rebuild_foo_roles with the ids of the rows you want to modify.
Now one thing about this structure is that it makes lookups fast, but updates to the permissions pretty slow.
Update: A note about GIN indexes (per request).
Traditional database indexes are b-trees, which means you can search by comparing an expected value to branches of the index, and then traversing to leaves. This works well if searching either on the whole value (WHERE foo = 'my_fun_value') but it doesn't work well with more complex searches. GIN indexes (Generalized Index Method) allow for indexes to be used in a wider variety of searches, but they are slightly slower than b-tree indexes. GIN indexes can be used to ask questions like:
Is value x in array y? (our use case here)
Does circle A overlap with circle B?
Does line segment C cross line segment D?
Does appointment A overlap time-wise with appointment B?
In newer versions of PostgreSQL you can use these indexes to enforce constraints like "No appointments in any given room may overlap time-wise" but the main use case here is that it makes searching arrays to be fast.
In general a GIN index will give you much better performance than a b-tree or GIST index on a join. In this case your query against foo can be an index scan against the relation with no joins needed.
Disclaimer - I'm not a huge sys admin buff, so my information may not be correct.. I also realize that the error says "host" - but I don't think that means it has to be a host entry in pg_hba.conf
When you connect to localhost, it uses the loopback address 127.0.0.1 (unless that configuration on your computer has been tampered with) to connect to your system, which counts as a "HOST" connection..
When you connect to "myComputer" (which happens to be your computer name), I'm pretty sure your OS is smart enough to say "oh hey! that's me!" and doesn't even bother resolving an ip address .. it just does a direct connection. This would be a "LOCAL" connection for postgres..
Try adding local all all ::1/128 trust to your pg_hba.conf file..
Then either restart the server, or connect as a superuser and issue select pg_reload_conf() (preferred method).
UPDATE: I tried instead of using the name of the machine, using it's static ipv4 IP address, which worked. The problem has something to do with the ipv6 connection.
That still works because it's still using a HOST connection (instead of a LOCAL one). Try what I suggest and see if you still get an error when connecting to the computer hostname.
Best Answer
You can turn on "log_statement_stats", and look at the 'max resident size' line from the log file (or set
client_min_messages TO log;).Is is a pretty crummy interface, and the number it gives is the high water mark for the connection, so you would have to run each statement in a separate connection while testing it.