| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Florian G(dot) Pflug" <fgp(at)phlo(dot)org>, "Jeroen T(dot) Vermeulen" <jtv(at)xs4all(dot)nl>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: "Optional ident" authentication |
| Date: | 2006-11-28 15:42:13 |
| Message-ID: | 456C58D5.7000101@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> "Florian G. Pflug" <fgp(at)phlo(dot)org> writes:
>
>> I believe it would be sufficient to add an additional column to pg_hba.conf
>> called "On Failure". The value could either be "Continue" or "Abort", with
>> the default being "Abort" to match the current behaviour.
>>
>
> Then you get into the problem that it has to work for *all* auth
> methods, which in general it will not, because the client probably isn't
> prepared for multiple auth challenges. Jeroen's kluge avoids that by
> only working for an auth method that doesn't involve a client challenge.
>
Yes, if we did that we'd probably have to fix libpq to allow for it (and
any native protocol implementations such as JDBC). Can the wire protocol
handle it?
> The example you cited is easily implemented without any new features,
> anyway, using "samegroup":
>
> local all samegroup ident sameuser
> local all all md5
>
> where users are made members of the group/role named after the database
> they are allowed to log into without a password.
>
>
>
I was just composing almost this identical example ;-)
'samegroup' is a much overlooked feature, I believe, and should be
extremely useful for hosting providers especially.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2006-11-28 15:51:35 | Short writes |
| Previous Message | Tom Lane | 2006-11-28 15:21:12 | Re: "Optional ident" authentication |