| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org> |
| Cc: | Neil Conway <nconway(at)klamath(dot)dyndns(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Open 7.3 items |
| Date: | 2002-07-31 21:05:35 |
| Message-ID: | 200207312105.g6VL5ZN21031@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Marc G. Fournier wrote:
> On Wed, 31 Jul 2002, Neil Conway wrote:
>
> > On Wed, Jul 31, 2002 at 02:01:43AM -0300, Marc G. Fournier wrote:
> > > add in 'fix pg_hba.conf / password issues' to that too :)
> >
> > I doubt that will make 7.3 -- the proposals I've seen on this topic
> > require some reasonably complex additions to the authentication
> > system. We also still need to hash out which design we're going
> > to implement. Given that it's pretty esoteric, I'd prefer this
> > wait for 7.4
>
> Then, the current changes *should* be removed, as we have no idea how many
> sites out there we are going to break without that functionality ... I
> know I personally have 200+ servers that will all break as soon as I move
> to v7.3 with it as is :(
OK, I have thought about this. First, a possible solution would be to
have a GUC variable that prepends the dbname to all username
specifications, so the username becomes dbname.username. When you
CREATE USER "test", it actually does CREATE USER "dbname.test". Same
with ALTER/DROP user and lookups in pg_hba.conf and authentication.
Basically it gives us a per-db user namespace. Only the superuser has a
non-db qualified name. (Actually, createuser script would fail because
it connects only to template1. You would have to use psql and CREATE
USER. Probably other things would fail too.)
As for 7.3, maybe we can get that done in time of everyone likes it. If
we can't, what do we do? Do we re-add the secondary password file stuff
that most people don't like? My big question is how many other
PostgreSQL users figured out they could use the secondary password file
for username/db restrictions? I never thought of it myself. Maybe I
should ask on general.
Marc, you do have a workaround for 7.3 using your IP's, right, or is
there a problem with the password having to be the same for different
hosts with the same username? If Marc is the only one, and he has a
workaround, we may just go ahead and leave it for 7.4.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-07-31 21:05:58 | Re: Open 7.3 items |
| Previous Message | Bruce Momjian | 2002-07-31 20:58:42 | Re: Open 7.3 items |