[PATCH] user mapping extension to pg_ident.conf

From: Lars Kanis <kanis(at)comcard(dot)de>
To: pgsql-hackers(at)postgresql(dot)org
Cc: Magnus Hagander <magnus(at)hagander(dot)net>
Subject: [PATCH] user mapping extension to pg_ident.conf
Date: 2009-06-29 13:14:27
Message-ID: 200906291514.32351.kanis@comcard.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Hi all,

this patch adds the possibility to map the login-rolename to a different
rolename actually used for permissions.

What is it used for?

I'm working with smartcard based TLS-authentication to connect to the PG
server. Authentication is done with the keys and certificates from the card
within the TLS handshake. Certificate-CN and login-username have to be the
same or have to match by the "pg_ident.conf". The role actually used for
permissions is always the login-username. This patch allowes, to change the
actually permissions to a role based on the certificate-CN. It is realised by
an additional column in "pg_ident.conf".

When using ODBC, you have to setup a fixed username which is used for login.
Different permissions depending on the CN of the certificate on the current
smartcard could be achieved by the following line:

ssl-user /(.*) dummy \1

The extension could be similar used for kerberos authentication, too.

Bytheway I refactored the pg_ident-code a little bit, to avoid duplicated code
and to allow substitution of more than one match (\2, \3 etc).

Questions (I'm quite new to the PG-sources and used to write Ruby code):
- Is this something useful - or is there a much easier way?
- Are there any implementation shortcomings?

Lars Kanis

Attachment Content-Type Size
effective_role.patch text/x-diff 9.7 KB


Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Hunsberger 2009-06-29 13:56:54 Re: Query progress indication - an implementation
Previous Message Richard Huxton 2009-06-29 13:01:33 Re: Extensions User Design