Re: SYSTEM_USER reserved word implementation
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jacob Champion <jchampion@timescale.com>
Cc: Joe Conway <mail@joeconway.com>,
"Drouvot,
Bertrand" <bdrouvot@amazon.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2022-06-22T15:52:27Z
Lists: pgsql-hackers
Jacob Champion <jchampion@timescale.com> writes: > On Wed, Jun 22, 2022 at 8:10 AM Joe Conway <mail@joeconway.com> wrote: >> In case port->authn_id is NULL then the patch is returning the SESSION_USER for the SYSTEM_USER. Perhaps it should return NULL instead. > If the spec says that SYSTEM_USER "represents the operating system > user", but we don't actually know who that user was (authn_id is > NULL), then I think SYSTEM_USER should also be NULL so as not to > mislead auditors. Yeah, that seems like a fundamental type mismatch. If we don't know the OS user identifier, substituting a SQL role name is surely not the right thing. I think a case could be made for ONLY returning non-null when authn_id represents some externally-verified identifier (OS user ID gotten via peer identification, Kerberos principal, etc). regards, tom lane
Commits
-
Introduce SYSTEM_USER
- 0823d061b0b7 16.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 cited