| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "jkatz(at)postgresql(dot)org" <jkatz(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: allowing "map" for password auth methods with clientcert=verify-full |
| Date: | 2021-10-27 16:14:45 |
| Message-ID: | 0e107a51941f7648eeda0f68bf768907d150389c.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 2021-10-26 at 18:16 -0400, Tom Lane wrote:
> Per "21.2. User Name Maps", I think that the map parameter is supposed
> to translate from the startup packet's user name to the SQL role name.
I may have misunderstood what you wrote, but IIUC the startup packet's
user name _is_ the SQL role name, even when using a map. The map is
just determining whether or not the authenticated ID (pulled from a
certificate, or from Kerberos, or etc.) is authorized to use that role
name. It's not a translation, because you can have a one-to-many user
mapping (where me(at)example(dot)com is allowed to log in as `me` or
`postgres` or `admin` or...).
Please correct me if I've missed something -- I need to have it right
in my head, given my other patches in this area...
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bharath Rupireddy | 2021-10-27 16:26:37 | Isn't it better with "autovacuum worker...." instead of "worker took too long to start; canceled" specific to "auto |
| Previous Message | Peter Geoghegan | 2021-10-27 16:10:32 | Re: Feature request for adoptive indexes |