Re: [PATCH] Support using "all" for the db user in pg_ident.conf

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Jelte Fennema <Jelte(dot)Fennema(at)microsoft(dot)com>
Cc: "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: [PATCH] Support using "all" for the db user in pg_ident.conf
Date: 2022-12-28 00:10:49
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Tue, Dec 27, 2022 at 03:54:46PM +0000, Jelte Fennema wrote:
> This change makes it much easier to have a certain database
> administrator peer or cert authentication, that allows connecting as
> any user. Without this change you would need to add a line to
> pg_ident.conf for every user that is in the database.

That seems pretty dangerous to me. For one, how does this work in
cases where we expect the ident entry to be case-sensitive, aka
authentication methods where check_ident_usermap() and check_usermap()
use case_insensitive = false?

Anyway, it is a bit confusing to see a patch touching parts of the
ident code related to the system-username while it claims to provide a
mean to shortcut a check on the database-username. If you think that
some renames should be done to IdentLine, these ought to be done

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2022-12-28 00:26:13 Re: recovery modules
Previous Message Tom Lane 2022-12-27 23:24:44 Re: Removing redundant grouping columns