I'm trying to understand the initial steps of PostgREST tutorial.
In the mentioned tutorial, it is recommended to create two different roles named web_anon and authenticator as below:
create role web_anon nologin;
grant usage on schema api to web_anon;
grant select on api.todos to web_anon;
create role authenticator noinherit login password 'mysecretpassword';
grant web_anon to authenticator;
As far as I know, the the PostgREST server receives Rest API requests from the clients, without any information about the user (role). And also, as far as I know, nologin roles can't do login to database. (can they send queries?)
So the questions are:
why do we need two different roles? What is the role of web_anon and what is the role of authenticator?
What can a nologin role do in postgres?
When PostgREST receives a rest API query, which user does it use to send and execute that query to the database?
A NOLOGIN role can be seen as a user group. The idea is to attach all privileges to a group rather than to individual users, which has several advantages:
It is possible to drop the user, because it does not have any privileges.
It is less work to add a user to a group or remove a user from a group than to grant or revoke lots of permissions whenever you have to add a user or change its privileges.
There is no danger of having so many individual ACL entries attached to a single database object that it becomes impossible to add more permissions (the whole metadata row has to fit into a single 8kB block).
This whole exercise only makes sense if you have many users in the database, otherwise it is silly. But it is a good idea to have different users for different purposes.
A NOLOGIN role can either be a group that carries privileges that users can inherit.
Another use is that you can use SET ROLE to assume the identity of the role.
I guess whatever user you use in the PostgreSQL connect string.