Re: Using both ident and password in pg_hba.conf

On 05/09/2016 01:18 PM, D'Arcy J.M. Cain wrote:
> On Mon, 9 May 2016 13:02:53 -0700
> Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> wrote:
>> So define PHP runs as 'nobody'?
>
> Because of the way PHP and Apache works PHP script have to run as the
> Apache user which, in my case anyway, is "nobody" so every PHP script
> runs as nobody. Meanwhile non-PHP scripts run as the user who owns the
> site.
>
>> Is that the script's user permissions?
>
> Sometimes. The user has the choice to have everything owned by nobody
> (which requires that they contact us for changes) or else as themself
> but with world readable permissions on the files so that nobody can
> serve them.
>
>> Or is that the database user the script is connecting as?
>
> Yes.
>
>> Is 'nobody' defined as a database user?
>
> Yes but each user has their own database with their own user and
> password. When they run PHP scripts they connect as nobody but they
> attempt to login as themself.

The above does not make sense to me. Maybe I am not understanding if you
mean connect and login as the same thing or not? I could see connecting
as 'nobody' and then doing SET ROLE as user. Or connect as 'nobody' for
the PHP script and have a separate connection as the database user.
Otherwise you are going to have to explain more about what you are doing.

>
> Basically I think that pg_hba.conf is missing a feature. We can
> specify the database, the user and the address but we can't specify the
> authenticated user. When it sees this;
>
> provided user name (x) and authenticated user name (nobody) do not match
>
> I would like it to connect with user x but drop to password
> authentication.

Again this seems to assume a given connection can have two user names at
the same time. As John pointed out there is mapping but it still
resolves to only one name for the actual connection.

>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com