From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Lars Kanis <kanis(at)comcard(dot)de>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [PATCH] user mapping extension to pg_ident.conf |
Date: | 2009-07-21 14:06:57 |
Message-ID: | 11898.1248185217@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Tue, Jul 21, 2009 at 15:58, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Are you not describing a behavior that you yourself removed in 8.4,
>> ie the libpq code that looked aside at Kerberos for a username?
> Yes, partially I am :-)
> But it was not documented, and done in a fairly hackish way. If we
> want it, it should work the same for *all* external authentication
> methods (where it would be possible).
Well, the problem with it of course was that it happened even when the
selected auth method was not Kerberos.
> Doing it on the client presents a certain challenge
Yup, you would need a protocol change that would allow the client to
change its mind about what the username was after it got the auth
challenge. And then what effects does that have on username-sensitive
pg_hba.conf decisions? We go back and change our minds about the
challenge type, perhaps? The whole thing seems like a nonstarter to me.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Joshua Brindle | 2009-07-21 14:20:09 | Re: [PATCH] SE-PgSQL/tiny rev.2193 |
Previous Message | Tom Lane | 2009-07-21 14:03:22 | Re: [PATCH v4] Avoid manual shift-and-test logic in AllocSetFreeIndex |