Skip site navigation (1) Skip section navigation (2)

[PATCH] user mapping extension to pg_ident.conf

From: Lars Kanis <kanis(at)comcard(dot)de>
To: pgsql-hackers(at)postgresql(dot)org
Cc: Magnus Hagander <magnus(at)hagander(dot)net>
Subject: [PATCH] user mapping extension to pg_ident.conf
Date: 2009-06-29 13:14:27
Message-ID: 200906291514.32351.kanis@comcard.de (view raw or flat)
Thread:
Lists: pgsql-hackers
Hi all,

this patch adds the possibility to map the login-rolename to a different 
rolename actually used for permissions.

What is it used for?

I'm working with smartcard based TLS-authentication to connect to the PG 
server. Authentication is done with the keys and certificates from the card 
within the TLS handshake. Certificate-CN and login-username have to be the 
same or have to match by the "pg_ident.conf". The role actually used for 
permissions is always the login-username. This patch allowes, to change the 
actually permissions to a role based on the certificate-CN. It is realised by 
an additional column in "pg_ident.conf".

When using ODBC, you have to setup a fixed username which is used for login. 
Different permissions depending on the CN of the certificate on the current 
smartcard could be achieved by the following line:

# MAPNAME     SYSTEM-USERNAME    PG-USERNAME   EFFECTIVE-USERNAME
ssl-user      /(.*)              dummy         \1

The extension could be similar used for kerberos authentication, too.

Bytheway I refactored the pg_ident-code a little bit, to avoid duplicated code 
and to allow substitution of more than one match (\2, \3 etc).

Questions (I'm quite new to the PG-sources and used to write Ruby code):
- Is this something useful - or is there a much easier way?
- Are there any implementation shortcomings?

regards
Lars Kanis

Responses

pgsql-hackers by date

Next:From: Peter HunsbergerDate: 2009-06-29 13:56:54
Subject: Re: Query progress indication - an implementation
Previous:From: Richard HuxtonDate: 2009-06-29 13:01:33
Subject: Re: Extensions User Design

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group