| From: | Hannu Krosing <hannu(at)tm(dot)ee> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, Neil Conway <nconway(at)klamath(dot)dyndns(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Open 7.3 items |
| Date: | 2002-08-01 05:26:49 |
| Message-ID: | 1028179609.2156.13.camel@rh72.home.ee |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, 2002-08-01 at 02:05, Bruce Momjian wrote:
> Marc G. Fournier wrote:
> > On Wed, 31 Jul 2002, Neil Conway wrote:
> >
> > > On Wed, Jul 31, 2002 at 02:01:43AM -0300, Marc G. Fournier wrote:
> > > > add in 'fix pg_hba.conf / password issues' to that too :)
> > >
> > > I doubt that will make 7.3 -- the proposals I've seen on this topic
> > > require some reasonably complex additions to the authentication
> > > system. We also still need to hash out which design we're going
> > > to implement. Given that it's pretty esoteric, I'd prefer this
> > > wait for 7.4
> >
> > Then, the current changes *should* be removed, as we have no idea how many
> > sites out there we are going to break without that functionality ... I
> > know I personally have 200+ servers that will all break as soon as I move
> > to v7.3 with it as is :(
>
> OK, I have thought about this. First, a possible solution would be to
> have a GUC variable that prepends the dbname to all username
> specifications, so the username becomes dbname.username.
When I first read Marc's post about this I also thought that the users
were partitioned by database, but further reading revealed that tis was
not the case - actually they were partitioned by _a_group_of_databases_,
as each of his virtual hosts accesses on _at_least_ one but possibly
more databases using the same user (bruce ;).
So we would need some sort of database groups that share the same users.
We have to do something like this:
real_user_name = mk_real_user_name(username,dbname)
which uses some mapping table to find the real user that is trying to
connect to the database.
This name mangling should be done at connect time and kept out of
database, where each users name should always be fully resolved
(bob(at)accounting(dot)acme(dot)com).
This may require raising the length of NAME type to be backwards
compatible. Or we migth just add USEDOMAIN column to uniquely identify
the user. so the above user would still have usename=bob but also
usedomain="accounting.acme.com".
-----------
Hannu
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hannu Krosing | 2002-08-01 05:35:13 | Re: Open 7.3 items |
| Previous Message | Bruce Momjian | 2002-08-01 05:25:50 | Re: Open 7.3 items |