From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Ron Snyder <snyder(at)roguewave(dot)com> |
Cc: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, Neil Conway <nconway(at)klamath(dot)dyndns(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Open 7.3 items |
Date: | 2002-07-31 21:40:11 |
Message-ID: | 200207312140.g6VLeBm23919@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Ron Snyder wrote:
> > As for 7.3, maybe we can get that done in time of everyone
> > likes it. If
> > we can't, what do we do? Do we re-add the secondary password
> > file stuff
> > that most people don't like? My big question is how many other
> > PostgreSQL users figured out they could use the secondary
> > password file
> > for username/db restrictions? I never thought of it myself. Maybe I
> > should ask on general.
>
> Unless I'm misunderstanding you, we use it and like it. We have several
> servers on one machine that all access the same password file (we have it
> softlinked). If we need to create a user that accesses only one cluster,
> then they get added to the file and created in the specific cluster. If
> that user then needs access to a different cluster, they just need to be
> added to the new cluster.
>
> The reason this is beneficial for us is because we then have the ability to
> have postgres only user accounts, as well as accounts from YP. When the YP
> user changes their unix password in YP, their postgres db account password
> changes as well (via cronjob).
>
> There are fewer passwords for them to manage in this way, but we still get
> the benefit of greater separation between clusters.
>
> Let me know if you want more information about how we use it (or if I
> misunderstood). What is it that people _don't_ like?
OK, how do secondary passwords work in pg_hba.conf. It requires
clear-text 'password', right, because the password is already crypt-ed
in the file.
Here you are using it for something different, where one file is used
for multiple clusters. Interesting.
The current code allows you to point to a file for a list of users,
which could be symlinked, so that is handled. The only part not handled
is the password part.
One idea I had was to look for a colon in the username, and if I see
one, I assume everything after the colon is a password. Would that work
for you?
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2002-07-31 21:55:29 | Re: Please, apply ltree patch |
Previous Message | Ian Barwick | 2002-07-31 21:34:40 | Re: No bison and NAMEDATALEN > 31: initdb failure? |