| From: | Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: elog(FATAL)ing non-existent roles during client |
| Date: | 2006-12-04 13:21:49 |
| Message-ID: | Pine.LNX.4.58.0612050019320.18986@linuxworld.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
On Thu, 30 Nov 2006, Tom Lane wrote:
> Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
> > I wonder if we should check if the role exists for the other
> > authentication methods too? get_role_line() should be very cheap and it
> > would prevent unnecessary authentication work if we did it before
> > contacting, for example, the client ident server. Even with trust, it
> > would save work because otherwise we do not check if the user exists until
> > InitializeSessionUserId(), at which time we're set up our proc entry etc.
>
> This only saves work if the supplied ID is in fact invalid, which one
> would surely think isn't the normal case; otherwise it costs more.
Yes.
> I could see doing this in the ident path, because contacting a remote
> ident server is certainly expensive on both sides. I doubt it's a good
> idea in the trust case.
Agreed. How about Kerberos too, applying the same logic?
Gavin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oleg Bartunov | 2006-12-04 13:24:10 | Fix for 8.2 release. Was: Problems to create the portuguese dictionary |
| Previous Message | Pavel Stehule | 2006-12-04 12:09:16 | SQL/PSM implemenation for PostgreSQL (roadmap) |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zdenek Kotala | 2006-12-04 13:47:45 | Re: [HACKERS] Dynamic Tracing docs |
| Previous Message | Oleg Bartunov | 2006-12-04 13:21:08 | Re: 8.2.0 pdf |