From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Euler Taveira <euler(at)timbira(dot)com(dot)br> |
Cc: | kolo hhmow <grzsmp(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: pam auth - add rhost item |
Date: | 2015-10-16 13:37:51 |
Message-ID: | CA+Tgmob_fuFK3i4rVqCFT9CKT3tNomyQO59jUejiwZ=XTcwTyw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Oct 16, 2015 at 8:47 AM, Euler Taveira <euler(at)timbira(dot)com(dot)br> wrote:
> On 15-10-2015 05:41, kolo hhmow wrote:
>>
>> I have already explained this in my previous post. Did you read this?
>
>>
> Yes, I do.
>
>> So why postgresql give users an abbility to use a pam modules, when in
>> other side there is advice to not use them?
>> Anyway.
>
>>
> Where is such advise? I can't see it in docs [1].
>
>> I do not see any complication with this approach. Just use one
>> configuration entry in pg_hba.conf, and rest entries in some database
>> backend of pam module, which is most convenient with lot of entries than
>> editing pg_hba.conf.
>>
> Why don't you use a group role? I need just one entry in pg_hba.conf.
I feel like this discussion has taken an unhelpful turn. Surely you
can see that this is not necessarily an exact substitute for what kolo
hhmow wants to do. Yeah, he could decide to do something else
instead, but are you really confused about why he would want to do
this in PAM, or is this just a case of arguing that what we have is
good enough so let's not change anything or take suggestions? He's
not saying there's no workaround; he's just saying he'd like this
better.
I think some more interesting questions are:
- Did he implement this correctly?
- Would it break anything?
- Are there lots of other knobs we should expose too instead of just one?
- What would it take to turn this into a committable patch?
- Would the cost of exposing this and perhaps some other knobs cost
too much in performance for the number of people it would make happy?
- If so, should the behavior be GUC-controlled or is there
justification for arguing we should drop the whole patch?
I feel like we've got somebody new showing up to our community with an
idea that is not obviously stupid. If we want such people to stick
around, we should try to give their ideas a fair shake.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-10-16 13:37:53 | Re: remaining open items |
Previous Message | Stephen Frost | 2015-10-16 13:34:59 | Re: [PATCH v3] GSSAPI encryption support |