Re: Allowing usernames in pg_hba.conf

Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> We have the following TODO item:
> * Allow usernames to be specified directly in pg_hba.conf (Bruce)

> My idea is to allow comma-separated usernames in the AUTH_ARGUMENT
> column. Right now we use it for ident user map files and secondary
> password files. It seems both easily already allow username
> restrictions. Adding usernames directly in pg_hba.conf is basically a
> shortcut to creating such secondary files.

> My idea is that if AUTH_ARGUMENT starts with "=", it represents a list
> of comma-separated usernames.

Ugh. What of the auth methods that have another interpretation for
AUTH_ARGUMENT?

> Do I need to allow usernames with spaces or quoted usernames? I don't
> think so.

I do.

This is definitely stressing pg_hba past its design limits --- heck, the
name of the file isn't even appropriate anymore, if usernames are part
of the match criteria. Rather than contorting things to maintain a
pretense of backwards compatibility, it's time to abandon the current
file format, change the name, and start over. (I believe there are
traces in the code of this having been done before.) We could probably
arrange to read and convert the existing pg_hba format if we don't see
a new-style authentication config file out there.

My first thoughts are (a) add a column outright for matching username;
(b) for both database and username columns, allow a filename reference
so that a bunch of names can be stored separately from the master
authentication file. I don't much care for sticking large lists of
names into the auth file itself.

It would be good to go back over the past complaints about "I can't
do this with pg_hba" to see if this is sufficient to solve them.

regards, tom lane