Re: Open 7.3 items
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Peter Eisentraut <peter_e@gmx.net>, Lamar Owen <lamar.owen@wgcr.org>, "Marc G. Fournier" <scrappy@hub.org>, Ron Snyder <snyder@roguewave.com>, Neil Conway <nconway@klamath.dyndns.org>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2002-08-14T18:34:38Z
Lists: pgsql-hackers
Bruce Momjian <pgman@candle.pha.pa.us> writes: > Oh, so try it with and without. I can do that, but it seems more of a > security problem where you were trying two names instead of one. Do > people like that? The nice thing about it is you can have any combination of people with installation-wide access (create them as joeblow) and people with one-database access (create them as joeblow@joesdatabase). A special case for only the postgres user is much less flexible. > It is easy to do, except for the fact we have to > match pg_hba.conf with a username, though we could do the double-test > there too, if that isn't too weird. It'd probably be better to first look at the flat-file copy of pg_shadow to determine whether user or user@database is the form to use, and then run through pg_hba.conf only once using the correct form. Otherwise there are going to be all sorts of weird corner cases: user might match a different pg_hba row than user@database does. Also, if you do it this way then the substitution only has to be done in one place: you can pass down the correct form to the backend, which'd otherwise have to repeat the test to see which username is found. regards, tom lane