allow specifying direct role membership in pg_hba.conf

From: "Bossart, Nathan" <bossartn(at)amazon(dot)com>
To: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: allow specifying direct role membership in pg_hba.conf
Date: 2021-05-13 23:38:46
Message-ID: 3BE2E13A-5697-4290-8F94-32434E3A3E56@amazon.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi hackers,

I've attached a small patch that allows specifying only direct members
of a group in pg_hba.conf. The "+" prefix offered today matches both
direct and indirect role members, which may complicate some role
setups. For example, if you have one set of roles that are members of
the "pam" role and another set that are members of the "scram-sha-256"
role, granting membership in a PAM role to a SCRAM role might
inadvertently modify the desired authentication method for the
grantee. If only direct membership is considered, no such inadvertent
authentication method change would occur.

I chose "&" as a new group name prefix for this purpose. This choice
seemed as good as any, but I'm open to changing it if anyone has
suggestions. For determining direct role membership, I added a new
function in acl.c that matches other related functions. I added a new
role cache type since it seemed to fit in reasonably well, but it seems
unlikely that there is any real performance benefit versus simply
open-coding the syscache lookup.

I didn't see any existing authentication tests for groups at first
glance. If folks are interested in this functionality, I can work on
adding some tests for this stuff.

Nathan

Attachment Content-Type Size
v1-0001-Allow-specifying-direct-role-membership-in-pg_hba.patch application/octet-stream 9.7 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2021-05-13 23:56:36 Re: compute_query_id and pg_stat_statements
Previous Message Justin Pryzby 2021-05-13 23:25:17 Re: pgsql: autovacuum: handle analyze for partitioned tables