| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Kyle Bateman <kyle(at)batemans(dot)org> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: Connect as multiple users using single client certificate |
| Date: | 2019-10-16 22:53:04 |
| Message-ID: | 20191016225304.GM6962@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* Kyle Bateman (kyle(at)batemans(dot)org) wrote:
> What I hope to accomplish is: Establish a secure, encrypted connection to
> Postgresql from a trusted process, possibly running on another machine, whom
> I trust to tell me which user (within a limited set, defined by a role) it
> would like to connect as. That process does it's own robust authentication
> of users before letting them through to the database by the username they
> claim. However, it is still useful to connect as different users because my
> views and functions operate differently depending on which user is on the
> other end of the connection.
>
> Is there a way I can accomplish this using the existing authentication
> methods (other than trust)?
Have you considered just having a regular client-side cert for the
middleware that logs in as a common user to the PG database, and then
performs a SET ROLE to whichever user the middleware has authenticated
the user as? That seems to match pretty closely what you're looking for
and has the advantage that it'll also allow you to work through
connection poolers.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Munro | 2019-10-16 23:25:08 | Re: ERROR: multixact X from before cutoff Y found to be still running |
| Previous Message | Stephen Frost | 2019-10-16 21:44:24 | Re: v12 and pg_restore -f- |