Re: Proposal: Save user's original authenticated identity for logging
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Greg Stark <stark@mit.edu>
Cc: Jacob Champion <pchampion@vmware.com>,
"sfrost@snowman.net" <sfrost@snowman.net>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2021-01-31T15:53:26Z
Lists: pgsql-hackers
Greg Stark <stark@mit.edu> writes: > I wonder if there isn't room to handle this the other way around. To > configure Postgres to not need a CREATE ROLE for every role but > delegate the user management to the external authentication service. > So Postgres would consider the actual role to be the one kerberos said > it was even if that role didn't exist in pg_role. Presumably you would > want to delegate to a corresponding authorization system as well so if > the role was absent from pg_role (or more likely fit some pattern) > Postgres would ignore pg_role and consult the authorization system > configured like AD or whatever people use with Kerberos these days. This doesn't sound particularly workable: how would you manage inside-the-database permissions? Kerberos isn't going to know what "view foo" is, let alone know whether you should be allowed to read or write it. So ISTM there has to be a role to hold those permissions. Certainly, you could allow multiple external identities to share a role ... but that works today. regards, tom lane
Commits
-
Add missing $Test::Builder::Level settings
- 73aa5e0cafd0 15.0 landed
- e536a2683439 14.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 landed
-
Fix some issues with SSL and Kerberos tests
- 5a71964a832f 14.0 landed
-
Refactor all TAP test suites doing connection checks
- c50624cdd248 14.0 landed