| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "magnus(at)hagander(dot)net" <magnus(at)hagander(dot)net> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: Proposal: Save user's original authenticated identity for logging |
| Date: | 2021-02-01 21:36:34 |
| Message-ID: | 94f6b945f9ca8cabe2b9d2a38ec19dca6f90a083.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, 2021-01-31 at 12:27 +0100, Magnus Hagander wrote:
> > (There's also the fact that I think pg_ident mapping for LDAP would be
> > just as useful as it is for GSS or certs. That's for a different
> > conversation.)
>
> Specifically for search+bind, I would assume?
Even for the simple bind case, I think it'd be useful to be able to
perform a pg_ident mapping of
ldapmap /.* ldapuser
so that anyone who is able to authenticate against the LDAP server is
allowed to assume the ldapuser role. (For this to work, you'd need to
be able to specify your LDAP username as a connection option, similar
to how you can specify a client certificate, so that you could set
PGUSER=ldapuser.)
But again, that's orthogonal to the current discussion.
> With that I think it would also be useful to have it available in the
> system as well -- either as a column in pg_stat_activity or maybe just
> as a function like pg_get_authenticated_identity() since it might be
> something that's interesting to a smallish subset of users (but very
> interesting to those).
Agreed, it would slot in nicely with the other per-backend stats functions.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2021-02-01 21:50:54 | Re: Proposal: Save user's original authenticated identity for logging |
| Previous Message | David Rowley | 2021-02-01 21:26:23 | Re: [sqlsmith] Failed assertion during partition pruning |