| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Jelte Fennema <Jelte(dot)Fennema(at)microsoft(dot)com> |
| Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [PATCH] Support using "all" for the db user in pg_ident.conf |
| Date: | 2022-12-28 00:10:49 |
| Message-ID: | Y6uJiZK3V2f5XK6w@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Dec 27, 2022 at 03:54:46PM +0000, Jelte Fennema wrote:
> This change makes it much easier to have a certain database
> administrator peer or cert authentication, that allows connecting as
> any user. Without this change you would need to add a line to
> pg_ident.conf for every user that is in the database.
That seems pretty dangerous to me. For one, how does this work in
cases where we expect the ident entry to be case-sensitive, aka
authentication methods where check_ident_usermap() and check_usermap()
use case_insensitive = false?
Anyway, it is a bit confusing to see a patch touching parts of the
ident code related to the system-username while it claims to provide a
mean to shortcut a check on the database-username. If you think that
some renames should be done to IdentLine, these ought to be done
first.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2022-12-28 00:26:13 | Re: recovery modules |
| Previous Message | Tom Lane | 2022-12-27 23:24:44 | Re: Removing redundant grouping columns |