Re: Open 7.3 items

Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> Oh, so try it with and without. I can do that, but it seems more of a
> security problem where you were trying two names instead of one. Do
> people like that?

The nice thing about it is you can have any combination of people with
installation-wide access (create them as joeblow) and people with
one-database access (create them as joeblow(at)joesdatabase). A special
case for only the postgres user is much less flexible.

> It is easy to do, except for the fact we have to
> match pg_hba.conf with a username, though we could do the double-test
> there too, if that isn't too weird.

It'd probably be better to first look at the flat-file copy of pg_shadow
to determine whether user or user(at)database is the form to use, and then
run through pg_hba.conf only once using the correct form. Otherwise
there are going to be all sorts of weird corner cases: user might match
a different pg_hba row than user(at)database does.

Also, if you do it this way then the substitution only has to be done in
one place: you can pass down the correct form to the backend, which'd
otherwise have to repeat the test to see which username is found.

regards, tom lane