| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Jacob Champion <jchampion(at)timescale(dot)com>, "Drouvot, Bertrand" <bdrouvot(at)amazon(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: SYSTEM_USER reserved word implementation |
| Date: | 2022-06-22 16:28:43 |
| Message-ID: | 3523129.1655915323@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Joe Conway <mail(at)joeconway(dot)com> writes:
> On 6/22/22 11:52, Tom Lane wrote:
>> I think a case could be made for ONLY returning non-null when authn_id
>> represents some externally-verified identifier (OS user ID gotten via
>> peer identification, Kerberos principal, etc).
> But -1 on that.
> I think any time we have a non-null authn_id we should expose it. Are
> there examples of cases when we have authn_id but for some reason don't
> trust the value of it?
I'm more concerned about whether we have a consistent story about what
SYSTEM_USER means (another way of saying "what type is it"). If it's
just the same as SESSION_USER it doesn't seem like we've added much.
Maybe, instead of just being the raw user identifier, it should be
something like "auth_method:user_identifier" so that one can tell
what the identifier actually is and how it was verified.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Conway | 2022-06-22 16:32:38 | Re: SYSTEM_USER reserved word implementation |
| Previous Message | Joe Conway | 2022-06-22 16:26:46 | Re: SYSTEM_USER reserved word implementation |