| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [v9.1] Add security hook on initialization of instance |
| Date: | 2010-06-15 12:37:50 |
| Message-ID: | 20100615123750.GG21875@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
KaiGai,
* KaiGai Kohei (kaigai(at)ak(dot)jp(dot)nec(dot)com) wrote:
> In the attached patch, the security hook was moved to ClientAuthentication()
> from InitPostgres(), for more clarification of the purpose.
> What I want to do is to assign additional properties to identify the client
> (such as security label) for each authenticated session.
>
> Its purpose is similar to "session" module of PAM in operating system.
> It allows to assign additional session properties more than user-id.
That's all fine- but let's work within the confines of the *existing*
hook that's been discussed to get something working first before we go
adding hooks in other places. I think it's important that we put
together at least a proof of concept that an SELinux module or other
external auth module can sensible use the DML hook.
After that, we can discuss what other hooks are needed. KaiGai, please,
before sending in patches of any kind, propose at a high-level what the
problem is and what the security module needs in general terms. If you
have a recommendation, that's fine, but let's talk about it before
implementing anything.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2010-06-15 14:24:03 | Re: [v9.1] Add security hook on initialization of instance |
| Previous Message | Florian Pflug | 2010-06-15 12:19:19 | Re: [BUGS] Server crash while trying to read expression using pg_get_expr() |