| From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
|---|---|
| To: | Jelte Fennema <Jelte(dot)Fennema(at)microsoft(dot)com> |
| Cc: | "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [PATCH] Support using "all" for the db user in pg_ident.conf |
| Date: | 2022-12-27 16:21:28 |
| Message-ID: | CAMsGm5eLhyRMr-did1Hjc0gh_FzJ0nmnvAxzDktnE5dq1jRv_g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 27 Dec 2022 at 10:54, Jelte Fennema <Jelte(dot)Fennema(at)microsoft(dot)com>
wrote:
This change makes it much easier to have a certain database
> administrator peer or cert authentication, that allows connecting as
> any user. Without this change you would need to add a line to
> pg_ident.conf for every user that is in the database.
>
> In some small sense this is a breaking change if anyone is using "all"
> as a user currently and has pg_ident.conf rules for it. This seems
> unlikely, since "all" was already handled specially in pg_hb.conf.
> Also it can easily be worked around by quoting the all token in
> pg_ident.conf. As long as this is called out in the release notes
> it seems okay to me. However, if others disagree there would
> be the option of changing the token to "pg_all". Since any
> pg_ prefixed users are reserved by postgres there can be no user.
> For now I used "all" though to stay consistent with pg_hba.conf.
+1 from me. I recently was setting up a Vagrant VM for testing and wanted
to allow the OS user which runs the application to connect to the database
as whatever user it wants and was surprised to find I had to list all the
potential target DB users in the pg_ident.conf (in production it uses
password authentication and each server gets just the passwords it needs
stored in ~/.pgpass). I like the idea that both config files would be
consistent, although the use of keywords such as "replication" in the DB
column has always made me a bit uncomfortable.
Related question: is there a reason why pg_ident.conf can't/shouldn't be
replaced by a system table? As far as I can tell, it's just a 3-column
table, essentially, with all columns in the primary key. This latest
proposal changes that a little; strictly, it should probably introduce a
second table with just two columns identifying which OS users can connect
as any user, but existing system table style seems to suggest that we would
just use a special value in the DB user column for "all".
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-12-27 17:47:18 | Re: Error-safe user functions |
| Previous Message | Jelte Fennema | 2022-12-27 15:54:46 | [PATCH] Support using "all" for the db user in pg_ident.conf |