Re: allow specifying direct role membership in pg_hba.conf

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: "Bossart, Nathan" <bossartn(at)amazon(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: allow specifying direct role membership in pg_hba.conf
Date: 2021-05-14 12:11:07
Message-ID: 37abd415-e069-fb0a-c2b2-bdb505ca0fc8@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


On 5/13/21 7:38 PM, Bossart, Nathan wrote:
> Hi hackers,
>
> I've attached a small patch that allows specifying only direct members
> of a group in pg_hba.conf. The "+" prefix offered today matches both
> direct and indirect role members, which may complicate some role
> setups. For example, if you have one set of roles that are members of
> the "pam" role and another set that are members of the "scram-sha-256"
> role, granting membership in a PAM role to a SCRAM role might
> inadvertently modify the desired authentication method for the
> grantee. If only direct membership is considered, no such inadvertent
> authentication method change would occur.
>
> I chose "&" as a new group name prefix for this purpose. This choice
> seemed as good as any, but I'm open to changing it if anyone has
> suggestions. For determining direct role membership, I added a new
> function in acl.c that matches other related functions. I added a new
> role cache type since it seemed to fit in reasonably well, but it seems
> unlikely that there is any real performance benefit versus simply
> open-coding the syscache lookup.
>
> I didn't see any existing authentication tests for groups at first
> glance. If folks are interested in this functionality, I can work on
> adding some tests for this stuff.
>

Do we really want to be creating two classes of role membership?

cheers

andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2021-05-14 12:12:11 Re: OOM in spgist insert
Previous Message Bruce Momjian 2021-05-14 12:09:42 Re: compute_query_id and pg_stat_statements