Re: [HACKERS] elog(FATAL)ing non-existent roles during client

On Tue, 5 Dec 2006, Gavin Sherry wrote:

> On Thu, 30 Nov 2006, Tom Lane wrote:
>
> > Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
> > > I wonder if we should check if the role exists for the other
> > > authentication methods too? get_role_line() should be very cheap and it
> > > would prevent unnecessary authentication work if we did it before
> > > contacting, for example, the client ident server. Even with trust, it
> > > would save work because otherwise we do not check if the user exists until
> > > InitializeSessionUserId(), at which time we're set up our proc entry etc.
> >
> > This only saves work if the supplied ID is in fact invalid, which one
> > would surely think isn't the normal case; otherwise it costs more.
>
> Yes.
>
> > I could see doing this in the ident path, because contacting a remote
> > ident server is certainly expensive on both sides. I doubt it's a good
> > idea in the trust case.
>
> Agreed. How about Kerberos too, applying the same logic?

Attached is a patch check adds the checks.

Gavin