Thread

  1. Re: Open 7.3 items

    Ron Snyder <snyder@roguewave.com> — 2002-07-31T23:06:42Z

    > 
    > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > networks you don't trust.
    
    Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    network (so far).
    
    -ron
    
    
    
  2. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T01:05:13Z

    Ron Snyder wrote:
    > > 
    > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > networks you don't trust.
    > 
    > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > network (so far).
    
    That is another major limitation to secondary password files.  In fact,
    md5 will not even work because we assume the username is used as the
    salt for the md5 encryption.  We don't store the salt as part of the
    encrypted password like crypt does.  
    
    This was another reason secondary password files were discouraged.
    
    Let me look at adding the colon password capability and see what it
    looks like.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  3. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T01:50:34Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Ron Snyder wrote:
    > > >
    > > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > > networks you don't trust.
    > >
    > > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > > network (so far).
    >
    > That is another major limitation to secondary password files.  In fact,
    > md5 will not even work because we assume the username is used as the
    > salt for the md5 encryption.  We don't store the salt as part of the
    > encrypted password like crypt does.
    >
    > This was another reason secondary password files were discouraged.
    
    discouraged??  where? :)
    
    
    
    
  4. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T02:37:31Z

    Marc G. Fournier wrote:
    > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > 
    > > Ron Snyder wrote:
    > > > >
    > > > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > > > networks you don't trust.
    > > >
    > > > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > > > network (so far).
    > >
    > > That is another major limitation to secondary password files.  In fact,
    > > md5 will not even work because we assume the username is used as the
    > > salt for the md5 encryption.  We don't store the salt as part of the
    > > encrypted password like crypt does.
    > >
    > > This was another reason secondary password files were discouraged.
    > 
    > discouraged??  where? :)
    
    Well. I meant that they had very limited usefulness. You had to trust
    your network.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  5. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T02:44:33Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Marc G. Fournier wrote:
    > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > >
    > > > Ron Snyder wrote:
    > > > > >
    > > > > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > > > > networks you don't trust.
    > > > >
    > > > > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > > > > network (so far).
    > > >
    > > > That is another major limitation to secondary password files.  In fact,
    > > > md5 will not even work because we assume the username is used as the
    > > > salt for the md5 encryption.  We don't store the salt as part of the
    > > > encrypted password like crypt does.
    > > >
    > > > This was another reason secondary password files were discouraged.
    > >
    > > discouraged??  where? :)
    >
    > Well. I meant that they had very limited usefulness. You had to trust
    > your network.
    
    that is the case for alot of software, and alot of networks nowadays are
    moving towards encrypted at the switch level, so the local network itself
    is considered to be 'secure' ...
    
    But, personally, you sooooooo sold me on that GUC thing that if we could
    implement that in time for v7.3, I think alot of ppl would find that
    *quite* valuable ...
    
    
    
    
  6. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T02:48:40Z

    Marc G. Fournier wrote:
    > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > 
    > > Marc G. Fournier wrote:
    > > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > > >
    > > > > Ron Snyder wrote:
    > > > > > >
    > > > > > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > > > > > networks you don't trust.
    > > > > >
    > > > > > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > > > > > network (so far).
    > > > >
    > > > > That is another major limitation to secondary password files.  In fact,
    > > > > md5 will not even work because we assume the username is used as the
    > > > > salt for the md5 encryption.  We don't store the salt as part of the
    > > > > encrypted password like crypt does.
    > > > >
    > > > > This was another reason secondary password files were discouraged.
    > > >
    > > > discouraged??  where? :)
    > >
    > > Well. I meant that they had very limited usefulness. You had to trust
    > > your network.
    > 
    > that is the case for alot of software, and alot of networks nowadays are
    > moving towards encrypted at the switch level, so the local network itself
    > is considered to be 'secure' ...
    > 
    > But, personally, you sooooooo sold me on that GUC thing that if we could
    > implement that in time for v7.3, I think alot of ppl would find that
    > *quite* valuable ...
    > 
    
    I am working on it now.  I decided against doing any kind of database
    prepending at the user level.  You create the user as 'dbname.username'.
    That is clearer, rather than prepending based on the db you are
    connected to.  The only code change is in the postmaster authentication
    lookup and ownership setting from the backend connection.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  7. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T03:07:55Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Marc G. Fournier wrote:
    > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > >
    > > > Marc G. Fournier wrote:
    > > > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > > > >
    > > > > > Ron Snyder wrote:
    > > > > > > >
    > > > > > > > Yes, is that your pg_hba.conf line?  'password' is insecure over
    > > > > > > > networks you don't trust.
    > > > > > >
    > > > > > > Yes, we're using 'password password' in our pg_hba.conf file.  I trust my
    > > > > > > network (so far).
    > > > > >
    > > > > > That is another major limitation to secondary password files.  In fact,
    > > > > > md5 will not even work because we assume the username is used as the
    > > > > > salt for the md5 encryption.  We don't store the salt as part of the
    > > > > > encrypted password like crypt does.
    > > > > >
    > > > > > This was another reason secondary password files were discouraged.
    > > > >
    > > > > discouraged??  where? :)
    > > >
    > > > Well. I meant that they had very limited usefulness. You had to trust
    > > > your network.
    > >
    > > that is the case for alot of software, and alot of networks nowadays are
    > > moving towards encrypted at the switch level, so the local network itself
    > > is considered to be 'secure' ...
    > >
    > > But, personally, you sooooooo sold me on that GUC thing that if we could
    > > implement that in time for v7.3, I think alot of ppl would find that
    > > *quite* valuable ...
    > >
    >
    > I am working on it now.  I decided against doing any kind of database
    > prepending at the user level.  You create the user as 'dbname.username'.
    > That is clearer, rather than prepending based on the db you are
    > connected to.  The only code change is in the postmaster authentication
    > lookup and ownership setting from the backend connection.
    
    Okay, just a couple of questions ... if there any way of provide
    'superuse' access a user of the database for creating new users?  Say one
    creates a dbname.pgsql account, could it be given 'create user' privileges
    for other users with a prefix of dbname.*?
    
    and, what happens if one doesn't specify dbname.*?  does that user become
    'global', or have access to nothing?
    
    
    
  8. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T03:17:45Z

    Marc G. Fournier wrote:
    > > I am working on it now.  I decided against doing any kind of database
    > > prepending at the user level.  You create the user as 'dbname.username'.
    > > That is clearer, rather than prepending based on the db you are
    > > connected to.  The only code change is in the postmaster authentication
    > > lookup and ownership setting from the backend connection.
    > 
    > Okay, just a couple of questions ... if there any way of provide
    > 'superuse' access a user of the database for creating new users?  Say one
    > creates a dbname.pgsql account, could it be given 'create user' privileges
    > for other users with a prefix of dbname.*?
    
    Uh, that will be tough.
    
    Super-user account will not be qualified by dbname for simplicity.  
    
    > and, what happens if one doesn't specify dbname.*?  does that user become
    > 'global', or have access to nothing?
    
    Access to nothing.  I could actually try to quality by dbname.username,
    then fall back to just username, but that seems insecure.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  9. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T03:27:43Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Marc G. Fournier wrote:
    > > > I am working on it now.  I decided against doing any kind of database
    > > > prepending at the user level.  You create the user as 'dbname.username'.
    > > > That is clearer, rather than prepending based on the db you are
    > > > connected to.  The only code change is in the postmaster authentication
    > > > lookup and ownership setting from the backend connection.
    > >
    > > Okay, just a couple of questions ... if there any way of provide
    > > 'superuse' access a user of the database for creating new users?  Say one
    > > creates a dbname.pgsql account, could it be given 'create user' privileges
    > > for other users with a prefix of dbname.*?
    >
    > Uh, that will be tough.
    >
    > Super-user account will not be qualified by dbname for simplicity.
    >
    > > and, what happens if one doesn't specify dbname.*?  does that user become
    > > 'global', or have access to nothing?
    >
    > Access to nothing.  I could actually try to quality by dbname.username,
    > then fall back to just username, but that seems insecure.
    
    No, that's cool ... just questions I thought of ...
    
    Okay ... hmmm ... just making sure that I understand ... I setup a server,
    when does this dbname.* come into play?  Only if I enable password/md5 in
    pg_hba.conf for a specific database?  all others would still use a plain
    'username' still works?  or are you getting rid of the 'global usernames'
    altogether (which is cool too, just want to clarify) ...
    
    
    
    
    
  10. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T03:31:14Z

    Marc G. Fournier wrote:
    > > Access to nothing.  I could actually try to quality by dbname.username,
    > > then fall back to just username, but that seems insecure.
    > 
    > No, that's cool ... just questions I thought of ...
    
    OK.
    
    > Okay ... hmmm ... just making sure that I understand ... I setup a server,
    > when does this dbname.* come into play?  Only if I enable password/md5 in
    > pg_hba.conf for a specific database?  all others would still use a plain
    > 'username' still works?  or are you getting rid of the 'global usernames'
    > altogether (which is cool too, just want to clarify) ...
    
    There will be a GUC param db_user_namespace which will turn it on/off
    for all access to the cluster _except_ for the super-user.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  11. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T03:58:07Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Marc G. Fournier wrote:
    > > > Access to nothing.  I could actually try to quality by dbname.username,
    > > > then fall back to just username, but that seems insecure.
    > >
    > > No, that's cool ... just questions I thought of ...
    >
    > OK.
    >
    > > Okay ... hmmm ... just making sure that I understand ... I setup a server,
    > > when does this dbname.* come into play?  Only if I enable password/md5 in
    > > pg_hba.conf for a specific database?  all others would still use a plain
    > > 'username' still works?  or are you getting rid of the 'global usernames'
    > > altogether (which is cool too, just want to clarify) ...
    >
    > There will be a GUC param db_user_namespace which will turn it on/off
    > for all access to the cluster _except_ for the super-user.
    
    Okay ... cluster == database server, or a subset of databases within the
    server?  I know what I think of as a cluster, and somehow I suspect this
    has to do with the new schema stuff, which means I *really* have to find
    time to do some catch-up reading ;)  need more hours in day, days in week
    ;(
    
    
    
  12. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T03:59:51Z

    Marc G. Fournier wrote:
    > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > 
    > > Marc G. Fournier wrote:
    > > > > Access to nothing.  I could actually try to quality by dbname.username,
    > > > > then fall back to just username, but that seems insecure.
    > > >
    > > > No, that's cool ... just questions I thought of ...
    > >
    > > OK.
    > >
    > > > Okay ... hmmm ... just making sure that I understand ... I setup a server,
    > > > when does this dbname.* come into play?  Only if I enable password/md5 in
    > > > pg_hba.conf for a specific database?  all others would still use a plain
    > > > 'username' still works?  or are you getting rid of the 'global usernames'
    > > > altogether (which is cool too, just want to clarify) ...
    > >
    > > There will be a GUC param db_user_namespace which will turn it on/off
    > > for all access to the cluster _except_ for the super-user.
    > 
    > Okay ... cluster == database server, or a subset of databases within the
    > server?  I know what I think of as a cluster, and somehow I suspect this
    > has to do with the new schema stuff, which means I *really* have to find
    > time to do some catch-up reading ;)  need more hours in day, days in week
    
    Cluster is db server in this case.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  13. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T04:08:10Z

    On Wed, 31 Jul 2002, Bruce Momjian wrote:
    
    > Marc G. Fournier wrote:
    > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > >
    > > > Marc G. Fournier wrote:
    > > > > > Access to nothing.  I could actually try to quality by dbname.username,
    > > > > > then fall back to just username, but that seems insecure.
    > > > >
    > > > > No, that's cool ... just questions I thought of ...
    > > >
    > > > OK.
    > > >
    > > > > Okay ... hmmm ... just making sure that I understand ... I setup a server,
    > > > > when does this dbname.* come into play?  Only if I enable password/md5 in
    > > > > pg_hba.conf for a specific database?  all others would still use a plain
    > > > > 'username' still works?  or are you getting rid of the 'global usernames'
    > > > > altogether (which is cool too, just want to clarify) ...
    > > >
    > > > There will be a GUC param db_user_namespace which will turn it on/off
    > > > for all access to the cluster _except_ for the super-user.
    > >
    > > Okay ... cluster == database server, or a subset of databases within the
    > > server?  I know what I think of as a cluster, and somehow I suspect this
    > > has to do with the new schema stuff, which means I *really* have to find
    > > time to do some catch-up reading ;)  need more hours in day, days in week
    >
    > Cluster is db server in this case.
    
    'K, cool, thanks :)
    
    Okay, final request .. how hard would it be to pre-pend the current
    database name if GUC value is on?  ie. if I'm in db1 and run CREATE USER,
    it will add db1. to the username if I hadn't already?   Sounds to me it
    would be simple to do, and it would "fix" the point I made about being
    able to have a db "owner" account with create user privileges (ie. if I'm
    in db1 and run CREATE USER db2.bruce, it should reject that unless I've
    got create database prileges *and* create user) ...
    
    Other then that, most elegant solution, IMHO :)
    
    
    
  14. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T04:09:46Z

    Marc G. Fournier wrote:
    > Okay, final request .. how hard would it be to pre-pend the current
    > database name if GUC value is on?  ie. if I'm in db1 and run CREATE USER,
    > it will add db1. to the username if I hadn't already?   Sounds to me it
    > would be simple to do, and it would "fix" the point I made about being
    > able to have a db "owner" account with create user privileges (ie. if I'm
    > in db1 and run CREATE USER db2.bruce, it should reject that unless I've
    > got create database prileges *and* create user) ...
    
    OK, let me get the easy part working first.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  15. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T05:25:50Z

    OK, I have attached a patch for testing.  Sample output is:
    
    	$ sql -U guest test
    	psql: FATAL:  user "test.guest" does not exist
    	$ createuser test.guest
    	Shall the new user be allowed to create databases? (y/n) n
    	Shall the new user be allowed to create more new users? (y/n) n
    	CREATE USER
    	#$ sql -U guest test
    	Welcome to psql, the PostgreSQL interactive terminal.
    	
    	Type:  \copyright for distribution terms
    	       \h for help with SQL commands
    	       \? for help on internal slash commands
    	       \g or terminate with semicolon to execute query
    	       \q to quit
    	
    	test=> 
    
    The patch is quite small.  All it does is prepend the database name to
    the user name supplied with the connection request when
    db_user_namespace is true.
    
    This is not ready for application.  I can find no way from the
    postmaster to determine if the user is the super-user and hence bypass
    the database prepending.  I was going to do that _only_ for the username
    who created the installation for initdb.  Maybe I have to dump that name
    out to a file and read it in from the postmaster.  Other ideas?
    
    It also needs documentation.
    
    I am unsure about auto-prepending the dbname for CREATE USER and other
    cases.  That could get confusing, especially because createuser accesses
    template1, and we would have to handle all other username mentions, like
    in GRANT.  We may be better just leaving it along and telling admins
    they have to quality the username in those cases.
    
    ---------------------------------------------------------------------------
    
    Marc G. Fournier wrote:
    > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > 
    > > Marc G. Fournier wrote:
    > > > On Wed, 31 Jul 2002, Bruce Momjian wrote:
    > > >
    > > > > Marc G. Fournier wrote:
    > > > > > > Access to nothing.  I could actually try to quality by dbname.username,
    > > > > > > then fall back to just username, but that seems insecure.
    > > > > >
    > > > > > No, that's cool ... just questions I thought of ...
    > > > >
    > > > > OK.
    > > > >
    > > > > > Okay ... hmmm ... just making sure that I understand ... I setup a server,
    > > > > > when does this dbname.* come into play?  Only if I enable password/md5 in
    > > > > > pg_hba.conf for a specific database?  all others would still use a plain
    > > > > > 'username' still works?  or are you getting rid of the 'global usernames'
    > > > > > altogether (which is cool too, just want to clarify) ...
    > > > >
    > > > > There will be a GUC param db_user_namespace which will turn it on/off
    > > > > for all access to the cluster _except_ for the super-user.
    > > >
    > > > Okay ... cluster == database server, or a subset of databases within the
    > > > server?  I know what I think of as a cluster, and somehow I suspect this
    > > > has to do with the new schema stuff, which means I *really* have to find
    > > > time to do some catch-up reading ;)  need more hours in day, days in week
    > >
    > > Cluster is db server in this case.
    > 
    > 'K, cool, thanks :)
    > 
    > Okay, final request .. how hard would it be to pre-pend the current
    > database name if GUC value is on?  ie. if I'm in db1 and run CREATE USER,
    > it will add db1. to the username if I hadn't already?   Sounds to me it
    > would be simple to do, and it would "fix" the point I made about being
    > able to have a db "owner" account with create user privileges (ie. if I'm
    > in db1 and run CREATE USER db2.bruce, it should reject that unless I've
    > got create database prileges *and* create user) ...
    > 
    > Other then that, most elegant solution, IMHO :)
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
  16. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-01T20:05:53Z

    Bruce Momjian writes:
    
    > OK, I have attached a patch for testing.  Sample output is:
    >
    > 	$ sql -U guest test
    > 	psql: FATAL:  user "test.guest" does not exist
    > 	$ createuser test.guest
    
    I will object to any scheme that makes any characters in the user name
    magic.  Two reasons:  First, do it right, make a separate column.
    Second, several tools use URI syntax to specify data sources.  This will
    break any feature that relies on being able to put special characters into
    the user name.
    
    The right solution to having database-local user names is putting extra
    information into pg_shadow regarding which database this user applies to.
    It could be an array or some separate "authentication domain" thing.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  17. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T21:11:24Z

    Peter Eisentraut wrote:
    > Bruce Momjian writes:
    > 
    > > OK, I have attached a patch for testing.  Sample output is:
    > >
    > > 	$ sql -U guest test
    > > 	psql: FATAL:  user "test.guest" does not exist
    > > 	$ createuser test.guest
    > 
    > I will object to any scheme that makes any characters in the user name
    > magic.  Two reasons:  First, do it right, make a separate column.
    > Second, several tools use URI syntax to specify data sources.  This will
    > break any feature that relies on being able to put special characters into
    > the user name.
    > 
    > The right solution to having database-local user names is putting extra
    > information into pg_shadow regarding which database this user applies to.
    > It could be an array or some separate "authentication domain" thing.
    
    OK, if you object, you can say goodbye to this feature for 7.3.  I can
    supply the patch to Marc and anyone else who wants it but I am not
    inclined nor convinced we need that level of work for this feature.
    
    So we end up with nothing.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  18. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-01T21:13:52Z

    On Thu, 1 Aug 2002, Bruce Momjian wrote:
    
    > Peter Eisentraut wrote:
    > > Bruce Momjian writes:
    > >
    > > > OK, I have attached a patch for testing.  Sample output is:
    > > >
    > > > 	$ sql -U guest test
    > > > 	psql: FATAL:  user "test.guest" does not exist
    > > > 	$ createuser test.guest
    > >
    > > I will object to any scheme that makes any characters in the user name
    > > magic.  Two reasons:  First, do it right, make a separate column.
    > > Second, several tools use URI syntax to specify data sources.  This will
    > > break any feature that relies on being able to put special characters into
    > > the user name.
    > >
    > > The right solution to having database-local user names is putting extra
    > > information into pg_shadow regarding which database this user applies to.
    > > It could be an array or some separate "authentication domain" thing.
    >
    > OK, if you object, you can say goodbye to this feature for 7.3.  I can
    > supply the patch to Marc and anyone else who wants it but I am not
    > inclined nor convinced we need that level of work for this feature.
    >
    > So we end up with nothing.
    
    Stupid qustion .. but why can't you just add a 'domain' column to
    pg_passwd/pg_shadow so that its stored as two fields instead of one?
    Which I believe is what Pter is/was suggesting ...
    
    
    
    
  19. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-01T21:20:48Z

    Marc G. Fournier wrote:
    > > > I will object to any scheme that makes any characters in the user name
    > > > magic.  Two reasons:  First, do it right, make a separate column.
    > > > Second, several tools use URI syntax to specify data sources.  This will
    > > > break any feature that relies on being able to put special characters into
    > > > the user name.
    > > >
    > > > The right solution to having database-local user names is putting extra
    > > > information into pg_shadow regarding which database this user applies to.
    > > > It could be an array or some separate "authentication domain" thing.
    > >
    > > OK, if you object, you can say goodbye to this feature for 7.3.  I can
    > > supply the patch to Marc and anyone else who wants it but I am not
    > > inclined nor convinced we need that level of work for this feature.
    > >
    > > So we end up with nothing.
    > 
    > Stupid qustion .. but why can't you just add a 'domain' column to
    > pg_passwd/pg_shadow so that its stored as two fields instead of one?
    > Which I believe is what Pter is/was suggesting ...
    
    Right now, pg_pwd only dumps users with passwords, and as I remember, it
    is only accessed when the protocol needs to lookup a password.  It
    wasn't designed for anything more advanced.  If you want separate
    columns, you have to dump out everyone, and modify CREATE USER,
    createuser, ALTER USER, ... to handle those new domain names, and you
    have to make this API visible to everyone even if they are not using
    domains.  That's where things really get ugly.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  20. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-02T10:56:12Z

    On Thu, 2002-08-01 at 23:20, Bruce Momjian wrote:
    > Marc G. Fournier wrote:
    > > > > I will object to any scheme that makes any characters in the user name
    > > > > magic.  Two reasons:  First, do it right, make a separate column.
    > > > > Second, several tools use URI syntax to specify data sources.  This will
    > > > > break any feature that relies on being able to put special characters into
    > > > > the user name.
    
    This should be settable using a GUC variable (in postgresql.conf as it
    makes no sense once you are connected).
    
    > > > > The right solution to having database-local user names is putting extra
    > > > > information into pg_shadow regarding which database this user applies to.
    > > > > It could be an array or some separate "authentication domain" thing.
    > > >
    > > > OK, if you object, you can say goodbye to this feature for 7.3.  I can
    > > > supply the patch to Marc and anyone else who wants it but I am not
    > > > inclined nor convinced we need that level of work for this feature.
    > > >
    > > > So we end up with nothing.
    > > 
    > > Stupid qustion .. but why can't you just add a 'domain' column to
    > > pg_passwd/pg_shadow so that its stored as two fields instead of one?
    > > Which I believe is what Pter is/was suggesting ...
    > 
    > Right now, pg_pwd only dumps users with passwords, and as I remember, it
    > is only accessed when the protocol needs to lookup a password.  It
    > wasn't designed for anything more advanced.  If you want separate
    > columns, you have to dump out everyone, and modify CREATE USER,
    > createuser, ALTER USER, ... to handle those new domain names, and you
    > have to make this API visible to everyone even if they are not using
    > domains.  That's where things really get ugly.
    
    Actually _not_ modifying the commands (and thus leaving the
    pg_shadow.usedomain column empty) will give us exactly the old
    behaviour. For advanced uses it should be an acceptable interim solution
    to have the superuser update the pg_shadow manually.
    
    But if noone has time to work on it more than just mangling usernames at
    connect time, that should also be ok for 7.3. We just have to document
    it and warn of a new change to real domain  users in 7.4 (or later).
    
    --------------
    Hannu
    
    
    
  21. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-06T21:17:50Z

    Bruce Momjian writes:
    
    > OK, if you object, you can say goodbye to this feature for 7.3.  I can
    > supply the patch to Marc and anyone else who wants it but I am not
    > inclined nor convinced we need that level of work for this feature.
    
    The right solution, IMO, is to resurrect the feature we had and think
    about a fully-featured solution for the next release.  Or try to sell the
    proposed solutions as fully-featured . . .
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  22. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-07T01:09:14Z

    It had such limited usefulness ('password' only, only crypted-hashed
    passwords in the file) that it doesn't make much sense to resurect it.
    
    To directly address your point, I don't think this new feature will be
    used enough to add the capability to the user admin commands.
    
    I know you object, so I am going to ask for a vote.
    
    OK, here is the request for vote.  Do we want:
    
    	1)  the old secondary passwords re-added
    	2)  the new prefixing of the database name to the username when enabled
    	3)  do nothing
    
    
    ---------------------------------------------------------------------------
    
    Peter Eisentraut wrote:
    > Bruce Momjian writes:
    > 
    > > OK, if you object, you can say goodbye to this feature for 7.3.  I can
    > > supply the patch to Marc and anyone else who wants it but I am not
    > > inclined nor convinced we need that level of work for this feature.
    > 
    > The right solution, IMO, is to resurrect the feature we had and think
    > about a fully-featured solution for the next release.  Or try to sell the
    > proposed solutions as fully-featured . . .
    > 
    > -- 
    > Peter Eisentraut   peter_e@gmx.net
    > 
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 5: Have you checked our extensive FAQ?
    > 
    > http://www.postgresql.org/users-lounge/docs/faq.html
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  23. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-07T01:21:55Z

    > OK, here is the request for vote.  Do we want:
    
    > 	2)  the new prefixing of the database name to the username when enabled
    
    I vote 2.
    
    
    
  24. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-07T01:24:16Z

    On Tue, 6 Aug 2002, Bruce Momjian wrote:
    
    >
    > It had such limited usefulness ('password' only, only crypted-hashed
    > passwords in the file) that it doesn't make much sense to resurect it.
    
    It had limited usefulness to you ... but how many sites out there are
    going to break when they try to upgraded without it there?  I do agree
    that it needs to improved / replaced, but without a suitable replacement
    in place, the old should be resurrected until such a suitable one is in
    place ...
    
    > I know you object, so I am going to ask for a vote.
    
    How can you request a vote of such a limited audience?  *Adding*
    functionality is easy ... removing functionality with at least a release
    for-warning is easy ... removing a feature without any forewarning is akin
    to cutting our own throats ...
    
    > OK, here is the request for vote.  Do we want:
    >
    > 	1)  the old secondary passwords re-added
    > 	2)  the new prefixing of the database name to the username when enabled
    > 	3)  do nothing
    
    If 2 can be done in such a way to be transparent, as well as to allow a
    database owner to be able to create users for his/her database, then I
    think it would be great ... and would far exceed what we have now ...
    
    If you can't do 2 as a complete solution, which, IMHO, includes a db owner
    being able to create db.users for his own database, then my vote is for 1
    ... if 2 can be done completely, then I vote for 2, as it would definitely
    be much more useful ...
    
    Hrmmm ... I was just thinking of another scenario where such a feature
    would be great ... educational.  The ability to setup a database server,
    but to give a professor a database for a course that he could create
    'accounts' for each of the students ...
    
    
    
  25. Re: Open 7.3 items

    Greg Copeland <greg@copelandconsulting.net> — 2002-08-07T01:30:32Z

    I would personally like to see 2, however, Marc is correct IMHO.  I cast
    my vote using the qualifiers that Marc laid out below.
    
    Greg
    
    
    On Tue, 2002-08-06 at 20:24, Marc G. Fournier wrote:
    > On Tue, 6 Aug 2002, Bruce Momjian wrote:
    > 
    > >
    > > It had such limited usefulness ('password' only, only crypted-hashed
    > > passwords in the file) that it doesn't make much sense to resurect it.
    > 
    > It had limited usefulness to you ... but how many sites out there are
    > going to break when they try to upgraded without it there?  I do agree
    > that it needs to improved / replaced, but without a suitable replacement
    > in place, the old should be resurrected until such a suitable one is in
    > place ...
    > 
    > > I know you object, so I am going to ask for a vote.
    > 
    > How can you request a vote of such a limited audience?  *Adding*
    > functionality is easy ... removing functionality with at least a release
    > for-warning is easy ... removing a feature without any forewarning is akin
    > to cutting our own throats ...
    > 
    > > OK, here is the request for vote.  Do we want:
    > >
    > > 	1)  the old secondary passwords re-added
    > > 	2)  the new prefixing of the database name to the username when enabled
    > > 	3)  do nothing
    > 
    > If 2 can be done in such a way to be transparent, as well as to allow a
    > database owner to be able to create users for his/her database, then I
    > think it would be great ... and would far exceed what we have now ...
    > 
    > If you can't do 2 as a complete solution, which, IMHO, includes a db owner
    > being able to create db.users for his own database, then my vote is for 1
    > ... if 2 can be done completely, then I vote for 2, as it would definitely
    > be much more useful ...
    > 
    > Hrmmm ... I was just thinking of another scenario where such a feature
    > would be great ... educational.  The ability to setup a database server,
    > but to give a professor a database for a course that he could create
    > 'accounts' for each of the students ...
    > 
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 4: Don't 'kill -9' the postmaster
    
    
  26. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-07T01:50:08Z

    > How can you request a vote of such a limited audience?  *Adding*
    > functionality is easy ... removing functionality with at least a release
    > for-warning is easy ... removing a feature without any forewarning is akin
    > to cutting our own throats ...
    
    
    Yea, but it was such an ugly feature and I honestly thought no one was
    using it.  In fact, you aren't even using it in the indended way of
    sharing /etc/passwd.  You are using it to implement a different
    capability that I never even imagined.  :-)
    
    > 
    > > OK, here is the request for vote.  Do we want:
    > >
    > > 	1)  the old secondary passwords re-added
    > > 	2)  the new prefixing of the database name to the username when enabled
    > > 	3)  do nothing
    > 
    > If 2 can be done in such a way to be transparent, as well as to allow a
    > database owner to be able to create users for his/her database, then I
    > think it would be great ... and would far exceed what we have now ...
    > 
    > If you can't do 2 as a complete solution, which, IMHO, includes a db owner
    > being able to create db.users for his own database, then my vote is for 1
    > ... if 2 can be done completely, then I vote for 2, as it would definitely
    > be much more useful ...
    
    Well, as it currently stands in the patch, a db owner can create any
    user they want, including users for just their dbs.  However, remember
    that Once someone can create a user, they can create a superuser, so
    security for those folks is impossible.  The patch does not prevent them
    from creating user for other databases, if that is what you wanted, but
    did your previous solution allow this?
    
    
    > 
    > Hrmmm ... I was just thinking of another scenario where such a feature
    > would be great ... educational.  The ability to setup a database server,
    > but to give a professor a database for a course that he could create
    > 'accounts' for each of the students ...
    
    Yep, with no conflicting names.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  27. Re: Open 7.3 items

    Neil Conway <nconway@klamath.dyndns.org> — 2002-08-07T02:25:38Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > OK, here is the request for vote.  Do we want:
    > 
    > 	1)  the old secondary passwords re-added
    > 	2)  the new prefixing of the database name to the username when enabled
    > 	3)  do nothing
    
    I'd vote #3, for the following reasons:
    
            - The functionality that Marc is worried about (in effect,
    		  allowing multiple database users with the same name) is
    		  pretty obscure, and the implementation is even more so. I
    		  doubt whether there is *anyone* other than Marc actually
    		  using it (if that's not the case, please speak up).
    
              Given that it was completely undocumented and a pretty clear
              abuse of the existing code, I don't think it's unreasonable
              for us to break backward compatibility on this issue.
    
            - The old way of doing things is broken, for reasons Bruce has
              elaborated on. Unless there's a compelling reason why we
              *need* this feature in the standard distribution, I'd rather
              we not go back to the old way of doing things.
    
            - I'm not perfectly happy with the scheme Bruce suggested as
              an interim fix (#2). If we're going to implement this
              feature, let's do it properly. In particular, I'm not
              convinced that this feature is urgently needed enough to
              justify a short-term kludge, and I dislike using a GUC
              variable to toggle between two quite different
              authentication processes.
    
    So I'd say leave things as they are. One thing I'd like to see anyway
    is a more prominent listing of the client-visible incompatibilities in
    the release notes -- I'd be content to add an entry to that list for
    the 7.3 release and talk about a more elaborate scheme during the 7.4
    development cycle.
    
    Cheers,
    
    Neil
    
    -- 
    Neil Conway <neilconway@rogers.com>
    PGP Key ID: DB3C29FC
    
    
    
  28. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-07T04:27:05Z

    On Tue, 6 Aug 2002, Bruce Momjian wrote:
    
    > > How can you request a vote of such a limited audience?  *Adding*
    > > functionality is easy ... removing functionality with at least a release
    > > for-warning is easy ... removing a feature without any forewarning is akin
    > > to cutting our own throats ...
    >
    >
    > Yea, but it was such an ugly feature and I honestly thought no one was
    > using it.  In fact, you aren't even using it in the indended way of
    > sharing /etc/passwd.  You are using it to implement a different
    > capability that I never even imagined.  :-)
    
    Can you point me to where this documentation is on its intended use?
    *raised eyebrow*  Just bcause you couldn't imagine it being used the way I
    am, doesn't mean that wasn't what it was intended for :)
    
    > Well, as it currently stands in the patch, a db owner can create any
    > user they want, including users for just their dbs.  However, remember
    > that Once someone can create a user, they can create a superuser, so
    > security for those folks is impossible.  The patch does not prevent them
    > from creating user for other databases, if that is what you wanted, but
    > did your previous solution allow this?
    
    But, the patch should ... how hard is it to add code in that says "if
    connected to db1 *and* have creat user privs, then allow create of
    db1.<username>"?
    
    Personally, from using cyrus-imapd for much much too long, I think what
    we're looking at is 'realms' ... if 'enable_realms' is enabled in
    postmaster.conf, then a user creatd wile connetd to db1 shuld have db1
    appended automagically ...
    
    then again, i do think its "a Bad Thing" to have this enable/disableable,
    since it will cause some serious confusion ... its kinda like everyone's
    argument against Thomas' recent patch about XLOG ... what if you forget?
    
    it should be an initdb option (--enable-realms) so that its a
    one-time-only decision when you create the database instance, not
    something that you can flip on/off ... default would be disabled, to
    reflect current behaviour (minus the password file) ...
    
    or, another option would be 'CREATE DATABASE <DB> WITH REALMS', so that
    you could have some with, some without ... so, if a DATABASE was creatd
    with REALMS, a flag would be set in pg_database stating that only those
    users with db. prefix have access to that database ...
    
    then again, another neat thing would be he ability to 'group' databases
    ... CREATE DATABASE <DB> IN GROUP <dbgroup>, so that users would be named
    dbgroup.* and would b able to login to any database within that group ...
    
    but those are just ideas thrown out ... IMHO, critical for v7.3, if we
    don't revert the patch, is to have *either* '--enable-realms' to set an
    instance in that mode, *or* have it on a per database basis ... I think
    having it as an on/off setting in postmaster.conf is just askng for
    trouble ...
    
    
    
  29. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-07T04:43:19Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > OK, here is the request for vote.  Do we want:
    
    > 	1)  the old secondary passwords re-added
    > 	2)  the new prefixing of the database name to the username when enabled
    > 	3)  do nothing
    
    I vote for 2b), username@database ...
    
    			regards, tom lane
    
    
  30. Re: Open 7.3 items

    Joe Conway <mail@joeconway.com> — 2002-08-07T04:49:38Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > 
    >>OK, here is the request for vote.  Do we want:
    > 
    > 
    >>	1)  the old secondary passwords re-added
    >>	2)  the new prefixing of the database name to the username when enabled
    >>	3)  do nothing
    > 
    > 
    > I vote for 2b), username@database ...
    > 
    
    I like that too -- and it has the added benefit of being similar to 
    Oracle (username@tns_servicename; tns_servicename is really just a 
    pointer to the IP/port of a specific Oracle database).
    
    Joe
    
    
    
  31. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-07T12:16:06Z

    >         - The functionality that Marc is worried about (in effect,
    > 		  allowing multiple database users with the same name) is
    > 		  pretty obscure, and the implementation is even more so. I
    > 		  doubt whether there is *anyone* other than Marc actually
    > 		  using it (if that's not the case, please speak up).
    
    I would use database specific users for a similar area -- shared
    hosting.  But, could live with a longer (128 byte) namedatalen to allow
    a unique user%domain.
    
    
    
  32. Re: Open 7.3 items

    Neil Conway <nconway@klamath.dyndns.org> — 2002-08-07T13:29:46Z

    Rod Taylor <rbt@zort.ca> writes:
    
    > >         - The functionality that Marc is worried about (in effect,
    > > 		  allowing multiple database users with the same name) is
    > > 		  pretty obscure, and the implementation is even more so. I
    > > 		  doubt whether there is *anyone* other than Marc actually
    > > 		  using it (if that's not the case, please speak up).
    > 
    > I would use database specific users for a similar area -- shared
    > hosting.
    
    I agree that the functionality Marc is looking for is useful -- I'm
    just saying that I would bet that *no one* is using the current
    implementation of it in PostgreSQL (i.e. so I don't see the need to
    keep backward compatibility, or the harm in removing the feature for
    the next release until a better solution is designed & implemented).
    
    > But, could live with a longer (128 byte) namedatalen to allow
    > a unique user%domain.
    
    That seems like a serviceable solution to me -- it seems quite easy to
    implement this functionality outside the database proper (at least
    until a proper solution is devised). Keep in mind that the current
    FE/BE protocol limits database and user names to 64 characters.
    That's another thing I'd like to fix in 7.4.
    
    Cheers,
    
    Neil
    
    -- 
    Neil Conway <neilconway@rogers.com>
    PGP Key ID: DB3C29FC
    
    
    
  33. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-07T13:37:03Z

    > > But, could live with a longer (128 byte) namedatalen to allow
    > > a unique user%domain.
    > 
    > That seems like a serviceable solution to me -- it seems quite easy to
    > implement this functionality outside the database proper (at least
    > until a proper solution is devised). Keep in mind that the current
    > FE/BE protocol limits database and user names to 64 characters.
    > That's another thing I'd like to fix in 7.4.
    
    Aw shoot.  64 characters isn't enough to hold a good chunk of our
    clients domain names let alone usernames in front.   I'm not looking
    forward to trimming domains either.
    
    I hope 7.4 that a protocol change for 7.4 is warranted.  Looks like
    there are a fair number of things in that area.
    
    
    
  34. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-07T14:14:26Z

    Neil Conway <nconway@klamath.dyndns.org> writes:
    > Keep in mind that the current
    > FE/BE protocol limits database and user names to 64 characters.
    
    That seems to be a good reason to combine the two on the postmaster
    side, a la Bruce's proposed patch.  If the client side does it then
    the "user@database" has to all fit in 64 characters.
    
    > That's another thing I'd like to fix in 7.4.
    
    Yup.  Do we have a list going of the things we want to fix in the next
    protocol change?  Offhand I remember
    
    * redesign startup packet to eliminate fixed field widths
    * fix COPY protocol to allow resync after errors, support binary data
    * less brain-dead protocol for fast-path function calls
    * allow NOTIFY to include parameters
    * richer ERROR reports (error codes, other stuff)
    
    and I'm sure there's more.  None of this stuff seems to be in the TODO
    list though.
    
    			regards, tom lane
    
    
  35. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-07T14:43:20Z

    On Tuesday 06 August 2002 09:24 pm, Marc G. Fournier wrote:
    > On Tue, 6 Aug 2002, Bruce Momjian wrote:
    > > It had such limited usefulness ('password' only, only crypted-hashed
    > > passwords in the file) that it doesn't make much sense to resurect it.
    
    > It had limited usefulness to you ... but how many sites out there are
    > going to break when they try to upgraded without it there?  I do agree
    > that it needs to improved / replaced, but without a suitable replacement
    > in place, the old should be resurrected until such a suitable one is in
    > place ...
    
    While it appears I'll be outvoted on this issue, and even though I agree that 
    the existing functionality is broken, and even though I am not using the 
    functionality, I am reminded of the overall policy that we have historically 
    had about removing even broken features.  Fair Warning must be given. If that 
    policy is going to be changed, then it needs to be applied with equal vigor 
    to all affected cases.
    
    Even if Marc is the only one using this feature, we should follow established 
    policy -- that is, after all, what policy is for.  To me it seems it is being 
    yanked gratuitously without fair warning.  If every question is answered on a 
    case-by-case basis like this, we will descend to anarchy, I'm afraid.  And, 
    Bruce, I even agree with your reasons -- I just disagree with the method.
    
    Is it going to cause a major problem for it to remain one release cycle while 
    someone works on a suitable replacement, with the warning in the release 
    notes that while this feature is there for backwards compatibility that it 
    will be yanked at the next release?  And I'm not talking about a minor 
    problem like 'more people will start using it' -- I'm talking 'if it stays we 
    will be in danger of massive data corruption or exposure' -- of course, 
    documenting that there is a degree of exposure of data if not set up in an 
    exacting method, as Marc seems to have done.
    
    Some may say Marc has fair warning now -- but does anyone know for sure that 
    NO ONE ELSE in the whole world isn't using this feature?  Marc is more in the 
    know than most, granted -- but if he found this use for the feature others 
    may have as well that we don't even know about.
    
    But if the feature is not going to remain it needs to be prominently 
    documented as being removed in the release notes.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  36. Re: Open 7.3 items

    Neil Conway <nconway@klamath.dyndns.org> — 2002-08-07T15:20:19Z

    Tom Lane <tgl@sss.pgh.pa.us> writes:
    > Do we have a list going of the things we want to fix in the next
    > protocol change?  Offhand I remember
    > 
    > * redesign startup packet to eliminate fixed field widths
    > * fix COPY protocol to allow resync after errors, support binary data
    > * less brain-dead protocol for fast-path function calls
    > * allow NOTIFY to include parameters
    > * richer ERROR reports (error codes, other stuff)
    
    Some kind of parameter binding or improved support for prepareable
    statements would require changes to the FE/BE protocol -- being able
    to accept parameters without passing them through the parser, for
    example.
    
    Allowing clients to cleanly determine the current transaction state
    will require FE/BE protocol changes, I think. (Or at least, that's my
    vague recollection of the discussion on -hackers from a couple months ago).
    
    That's all I can think of -- there's probably more stuff...
    
    Cheers,
    
    Neil
    
    -- 
    Neil Conway <neilconway@rogers.com>
    PGP Key ID: DB3C29FC
    
    
    
  37. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-07T15:29:29Z

    Neil Conway <nconway@klamath.dyndns.org> writes:
    > Some kind of parameter binding or improved support for prepareable
    > statements would require changes to the FE/BE protocol -- being able
    > to accept parameters without passing them through the parser, for
    > example.
    
    Right.  This is nearly the same, perhaps could be made actually the
    same, as a fast-path function call.
    
    The existing FPF call mechanism only supports binary data, but I think
    it would be useful to allow either binary data or ASCII data in both FPF
    and prepared-statement cases.  The ASCII path would require invoking a
    datatype's conversion function on the backend side, but you'd still get
    to skip the SQL statement parsing/planning overhead.
    
    (Wanders away wondering whether COPY might not be made to fit into this
    same mold...)
    
    			regards, tom lane
    
    
  38. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-07T21:12:02Z

    On Thu, 2002-08-08 at 03:27, Marc G. Fournier wrote:
    > On Wed, 7 Aug 2002, Bruce Momjian wrote:
    > 
    > > Tom Lane wrote:
    > > > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > > > OK, here is the request for vote.  Do we want:
    > > >
    > > > > 	1)  the old secondary passwords re-added
    > > > > 	2)  the new prefixing of the database name to the username when enabled
    > > > > 	3)  do nothing
    > > >
    > > > I vote for 2b), username@database ...
    > >
    > > Yes, the format was going to be my second vote, dbname.username or
    > > username@dbname.  Guess I will not need that vote.  ;-)
    > 
    > Actually, I kinda like dbname.username myself ... it means that wne you do
    > a SELECT of the pg_shadow file, it can be sorted in a useful manner (ie.
    > grouped by database)
    
    use a view :
    
    create view pg_shadow_with_domain as
        select
            usename as fullname,
            case when (strpos(usename,'@') > 0)
                 then substr(usename,1,strpos(usename,'@')-1)
                 else usename
                  end as usename,
            case when (strpos(usename,'@') > 0)
                 then substr(usename,strpos(usename,'@')+1)
                 else ''
                  end as usedomain,
            usesysid,
            usecreatedb,
            usetrace,
            usesuper,
            usecatupd,
            passwd,
            valuntil
        from pg_shadow;
    
    and sort as you wish ;)
    
    For example, to get all bruces in all domains starting with an 'acc'
    just do
    
    select *
      from pg_shadow_with_domain 
     where usename = 'bruce'
       and domain like 'acc%' ;
    
    ------------------
    Hannu
    
    
    
  39. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-07T22:02:31Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > OK, here is the request for vote.  Do we want:
    > 
    > > 	1)  the old secondary passwords re-added
    > > 	2)  the new prefixing of the database name to the username when enabled
    > > 	3)  do nothing
    > 
    > I vote for 2b), username@database ...
    
    Yes, the format was going to be my second vote, dbname.username or
    username@dbname.  Guess I will not need that vote.  ;-)
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 853-3000
      +  If your life is a hard drive,     |  830 Blythe Avenue
      +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
    
    
  40. Re: Open 7.3 items

    Marc G. Fournier <scrappy@hub.org> — 2002-08-07T22:27:19Z

    On Wed, 7 Aug 2002, Bruce Momjian wrote:
    
    > Tom Lane wrote:
    > > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > > OK, here is the request for vote.  Do we want:
    > >
    > > > 	1)  the old secondary passwords re-added
    > > > 	2)  the new prefixing of the database name to the username when enabled
    > > > 	3)  do nothing
    > >
    > > I vote for 2b), username@database ...
    >
    > Yes, the format was going to be my second vote, dbname.username or
    > username@dbname.  Guess I will not need that vote.  ;-)
    
    Actually, I kinda like dbname.username myself ... it means that wne you do
    a SELECT of the pg_shadow file, it can be sorted in a useful manner (ie.
    grouped by database)
    
    
    
    
  41. LRE: Open 7.3 items

    Christopher Kings-Lynne <chriskl@familyhealth.com.au> — 2002-08-08T02:26:31Z

    > Some may say Marc has fair warning now -- but does anyone know
    > for sure that
    > NO ONE ELSE in the whole world isn't using this feature?  Marc is
    > more in the
    > know than most, granted -- but if he found this use for the
    > feature others
    > may have as well that we don't even know about.
    >
    > But if the feature is not going to remain it needs to be prominently
    > documented as being removed in the release notes.
    
    And just remember all those reasons why people find MySQL easier to use than
    Postgres - the upgrade process...
    
    Chris
    
    
    
  42. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-08T02:31:12Z

    Hannu Krosing <hannu@tm.ee> writes:
    > On Thu, 2002-08-08 at 03:27, Marc G. Fournier wrote:
    >> Actually, I kinda like dbname.username myself ... it means that wne you do
    >> a SELECT of the pg_shadow file, it can be sorted in a useful manner (ie.
    >> grouped by database)
    
    Hmm, Marc's got a point there...
    
    > use a view :
    
    Yeah, but it's painful to do that.
    
    			regards, tom lane
    
    
  43. Re: Open 7.3 items

    Greg Copeland <greg@copelandconsulting.net> — 2002-08-08T02:58:10Z

    Ssshhhh....don't tell Curt that!  ;)
    
    Greg
    
    On Wed, 2002-08-07 at 21:31, Tom Lane wrote:
    > Hannu Krosing <hannu@tm.ee> writes:
    > > On Thu, 2002-08-08 at 03:27, Marc G. Fournier wrote:
    > >> Actually, I kinda like dbname.username myself ... it means that wne you do
    > >> a SELECT of the pg_shadow file, it can be sorted in a useful manner (ie.
    > >> grouped by database)
    > 
    > Hmm, Marc's got a point there...
    > 
    > > use a view :
    > 
    > Yeah, but it's painful to do that.
    > 
    > 			regards, tom lane
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 4: Don't 'kill -9' the postmaster
    
    
  44. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-08T03:30:37Z

    On Thu, 2002-08-08 at 07:31, Tom Lane wrote:
    > Hannu Krosing <hannu@tm.ee> writes:
    > > On Thu, 2002-08-08 at 03:27, Marc G. Fournier wrote:
    > >> Actually, I kinda like dbname.username myself ... it means that wne you do
    > >> a SELECT of the pg_shadow file, it can be sorted in a useful manner (ie.
    > >> grouped by database)
    > 
    > Hmm, Marc's got a point there...
    > 
    > > use a view :
    > 
    > Yeah, but it's painful to do that.
    
    Not if the view is installed with the system.
    
    So the plan could be:
    
    1 .give the new functionality in a "light" version - ie just checking at
    connect time, full name must be used when creating user.
    
    2. modify pg_user to show it usename usedomain as two separate fields
    for eas of use (join pg_user and pg_shadow on usesysid if you need to
    see passwords)
    
    3. in version 7.4 modify CREATE USER and ALTER USER to save the domain
    info in pg_shadow.usedomain.
    
    -----------------
    Hannu
    
    
    
  45. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-08T05:42:15Z

    Hannu Krosing <hannu@tm.ee> writes:
    > 2. modify pg_user to show it usename usedomain as two separate fields
    > for eas of use (join pg_user and pg_shadow on usesysid if you need to
    > see passwords)
    
    This is already more mechanism than I wanted to buy into, and less
    forethought than I think we need.  For example, is it a good idea if
    pg_user shows usernames that cannot be identified with those shown by
    ACL lists?  If not, how will you modify ACL I/O formats?  What about
    the has_table_privilege functions?
    
    What I'm envisioning is an extremely limited facility that just maps
    connection parameters into an internal username that is of the form
    username@dbname or dbname.username.  Trying to hide that internal
    username for inside-the-database activities does not strike me as a
    good plan.
    
    This may prove to be just a stopgap measure that we'll replace down the
    road (as indeed the secondary-passwords thing was just a stopgap, IMO).
    Let's not add features that will create extra compatibility problems
    if we abandon the whole approach later.
    
    			regards, tom lane
    
    
  46. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-11T02:41:57Z

    I would like to address this email.  
    
    Lamar is mentioning that it is unfair to remove a feature without
    warning.
    
    Let me give a little history.  The secondary password file was created
    at a time when we didn't encrypt with random salt over the wire, and we
    had people who wanted to share their /etc/passwd file with PostgreSQL.
    
    Later, people wanted to use the secondary password file for just
    usernames, so you could list usernames in the file and limit db access
    by user.  This is the current usage for 99% of secondary password users.
    This capability is better served in 7.3 with the new USER column in
    pg_shadow and the ability to specify filenames or groups in that file. 
    Keeping the secondary password file to specify a user list while a new
    USER column exists in 7.3 is just confusing to administrators.  Our
    pg_hba.conf system is pretty complex, so anything we can do to simplify
    helps.
    
    Now, on to Marc's case, where he does use the file for usernames _and_
    passwords.  However, he is using it only so he can have more than one
    person with the same username and restrict access based on the password
    in the secondary password file.  While this does work, my submitted
    patch makes this much easier and cleaner.
    
    Marc had mentioned that this should be an initdb flag.  However, our
    standard procedure is to put stuff in initdb only when it can't be
    changed after initdb.  While strange, this feature can be
    enabled-disabled after initdb.  A quick update of pg_shadow can change
    usernames and you can go in and out of this mode.
    
    Someone talked about pushing this capability into a separate pg_shadow
    column, and making CREATE/ALTER user and createuser aware of this. 
    While this can be done, and it sort of becomes user schemas, there isn't
    enough people wanting this to add complexity to those commands.  A GUC
    flag will meet most peoples needs at this point.
    
    Some mentioned using user@dbname, though the idea of sorting made
    several recant their votes.
    
    So, based on the voting, I think dbname.username is an agreed-upon
    feature addition for 7.3.  I will work on a final patch with
    documentation and post it to the patches list for more comment.
    
    ---------------------------------------------------------------------------
    
    Lamar Owen wrote:
    > On Tuesday 06 August 2002 09:24 pm, Marc G. Fournier wrote:
    > > On Tue, 6 Aug 2002, Bruce Momjian wrote:
    > > > It had such limited usefulness ('password' only, only crypted-hashed
    > > > passwords in the file) that it doesn't make much sense to resurect it.
    > 
    > > It had limited usefulness to you ... but how many sites out there are
    > > going to break when they try to upgraded without it there?  I do agree
    > > that it needs to improved / replaced, but without a suitable replacement
    > > in place, the old should be resurrected until such a suitable one is in
    > > place ...
    > 
    > While it appears I'll be outvoted on this issue, and even though I agree that 
    > the existing functionality is broken, and even though I am not using the 
    > functionality, I am reminded of the overall policy that we have historically 
    > had about removing even broken features.  Fair Warning must be given. If that 
    > policy is going to be changed, then it needs to be applied with equal vigor 
    > to all affected cases.
    > 
    > Even if Marc is the only one using this feature, we should follow established 
    > policy -- that is, after all, what policy is for.  To me it seems it is being 
    > yanked gratuitously without fair warning.  If every question is answered on a 
    > case-by-case basis like this, we will descend to anarchy, I'm afraid.  And, 
    > Bruce, I even agree with your reasons -- I just disagree with the method.
    > 
    > Is it going to cause a major problem for it to remain one release cycle while 
    > someone works on a suitable replacement, with the warning in the release 
    > notes that while this feature is there for backwards compatibility that it 
    > will be yanked at the next release?  And I'm not talking about a minor 
    > problem like 'more people will start using it' -- I'm talking 'if it stays we 
    > will be in danger of massive data corruption or exposure' -- of course, 
    > documenting that there is a degree of exposure of data if not set up in an 
    > exacting method, as Marc seems to have done.
    > 
    > Some may say Marc has fair warning now -- but does anyone know for sure that 
    > NO ONE ELSE in the whole world isn't using this feature?  Marc is more in the 
    > know than most, granted -- but if he found this use for the feature others 
    > may have as well that we don't even know about.
    > 
    > But if the feature is not going to remain it needs to be prominently 
    > documented as being removed in the release notes.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  47. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-13T01:28:41Z

    On Saturday 10 August 2002 10:41 pm, Bruce Momjian wrote:
    > Let me give a little history.  The secondary password file was created
    > at a time when we didn't encrypt with random salt over the wire, and we
    > had people who wanted to share their /etc/passwd file with PostgreSQL.
    [snip]
    
    > So, based on the voting, I think dbname.username is an agreed-upon
    > feature addition for 7.3.  I will work on a final patch with
    > documentation and post it to the patches list for more comment.
    
    I can live with this, if the documentation is prominently referred to in the 
    changelog.
    
    As to the feature itself, I believe Bruce's proposed solution is the best, and 
    believed that from the beginning -- I just wanted to deal with the 'fair 
    warning' issue alone.
    
    As to fair warning:  watch for the next RPM release.  Fair Warning is being 
    given that upgrades within the RPM context will not be supported in any form 
    for the final release of PostgreSQL 7.3. 
    
    I had a 'd'oh' moment (and I don't watch the Simpsons....) when I realized 
    that I could quite easily prevent anyone from even attempting an RPM upgrade, 
    unless that take matters into their own grubby little hands with special 
    switches to the rpm command line. 
    
    It will not be yanked this next set, but the following set will be 
    unupgradable.  Sorry, but the packaged kludge isn't reliable enough for the 
    state of PostgreSQL reliability, and I don't want the RPMset's shortcomings 
    (due to the whole RPM mechanism forcing the issue) causing bad blood towards 
    PostgreSQL in general. The Debian packages don't have much of the limitations 
    and restrictions I have to deal with, and until a good upgrade utility is 
    available I'm just going to have to do this.
    
    I have been so swamped with Fortran work for work that I've not even looked at 
    the python code Hannu so kindly sent me, nor have I played any more with 
    pg_fsck.  Groundwave propagation modeling in Fortran has been more 
    important...
    
    Likewise, my focus as RPM maintainer is changing with this next release.  
    Since the distributions, such as Red Hat, are doing a great job keeping up to 
    date, I'm going to not bother much with building RPMs that are, frankly, 
    redundant at this point.  Three years ago it wasn't this nice.  Trond has 
    done a good job on the Red Hat bleeding edge front, Reinhard Max has done 
    similarly for SuSE.  There are PLD, Connectiva, TurboLinux, Caldera, and 
    Mandrake maintainers as well -- and they seem to be doing fine.
    
    I'm going to now go to the lagging plane -- building newer PostgreSQL for 
    older Red Hat (and maybe others, if I can get enough hard drives available).  
    The source RPM will still be useful to the newer distribution's maintainers 
    -- but the requests I see more of on the lists is newer PostgreSQL on older 
    linux.  So I'm going to try to rise to that occassion, and take this 
    opportunity to apologize for not seeing it sooner.
    
    I welcome comments on this change of focus.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  48. Re: Open 7.3 items

    kdebisschop@alert.infoplease.com — 2002-08-13T01:51:11Z

    On Mon, 2002-08-12 at 21:28, Lamar Owen wrote:
    
    > I'm going to now go to the lagging plane -- building newer PostgreSQL for 
    > older Red Hat (and maybe others, if I can get enough hard drives available).  
    > The source RPM will still be useful to the newer distribution's maintainers 
    > -- but the requests I see more of on the lists is newer PostgreSQL on older 
    > linux.  So I'm going to try to rise to that occassion, and take this 
    > opportunity to apologize for not seeing it sooner.
    > 
    > I welcome comments on this change of focus.
    
    Even though we run redhat on our systems, as close to stock as we can, I
    have found that your RPMs build more reliably than Trond's.
    
    My bad for being unable to diagnose the build problems with the RedHat
    SRPM, my double-bad for letting that failure prevent my reporting the
    issu to him. 
    
    But I for one will miss your lead on the bleeding edge of RPM
    development.
    
    --
    Karl DeBisschop
    
    
    
    
  49. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-13T02:49:37Z

    On Monday 12 August 2002 09:51 pm, Karl DeBisschop wrote:
    > On Mon, 2002-08-12 at 21:28, Lamar Owen wrote:
    > > I'm going to now go to the lagging plane -- building newer PostgreSQL for
    > > older Red Hat (and maybe others, if I can get enough hard drives
    > > available). The source RPM will still be useful to the newer
    > > distribution's maintainers -- but the requests I see more of on the lists
    > > is newer PostgreSQL on older linux.  So I'm going to try to rise to that
    > > occassion, and take this opportunity to apologize for not seeing it
    > > sooner.
    
    > But I for one will miss your lead on the bleeding edge of RPM
    > development.
    
    Oh, I've misstated, apparently.  I'll continue on the 'bleeding edge' as far 
    as versions of PostgreSQL are concerned -- I'm just shifting focus to 
    providing prebuilt binaries on older dists.  As I do some other bleeding edge 
    work, I typically will make sure my source RPM's build on the latest and 
    greatest -- they just won't be optimized for it.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  50. Re: Open 7.3 items

    Sean Chittenden <sean@chittenden.org> — 2002-08-13T21:25:53Z

    > Some mentioned using user@dbname, though the idea of sorting made
    > several recant their votes.
    >
    > So, based on the voting, I think dbname.username is an agreed-upon
    > feature addition for 7.3.  I will work on a final patch with
    > documentation and post it to the patches list for more comment.
    
    The nice thing about using an @ sign, amongst being more consistent
    with kerberos and email, is that it doesn't preclude the use of .'s in
    a database name.  For simplicity's sake, I'd really like to be able to
    continue issuing database names that are identical to the domain that
    they serve and worry that relying on a "." will either make the use of
    a dot in the username or database impossible.  An @ sign, on the other
    hand, is the ubiquitously agreed upon username/host separator and
    makes it all that much more consistent for users and administrators.
    
    Username: john.doe
    Database: foo.com
    possible pg_shadow entry #1: john.doe.foo.com
    possible pg_shadow entry #2: john.doe@foo.com
    
    If people are worried about the sorting, ORDER BY domain, username.
    My $0.02.  -sc
    
    -- 
    Sean Chittenden
    
    
  51. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-13T22:22:30Z

    Sean Chittenden wrote:
    > > Some mentioned using user@dbname, though the idea of sorting made
    > > several recant their votes.
    > >
    > > So, based on the voting, I think dbname.username is an agreed-upon
    > > feature addition for 7.3.  I will work on a final patch with
    > > documentation and post it to the patches list for more comment.
    > 
    > The nice thing about using an @ sign, amongst being more consistent
    > with kerberos and email, is that it doesn't preclude the use of .'s in
    > a database name.  For simplicity's sake, I'd really like to be able to
    > continue issuing database names that are identical to the domain that
    > they serve and worry that relying on a "." will either make the use of
    > a dot in the username or database impossible.  An @ sign, on the other
    > hand, is the ubiquitously agreed upon username/host separator and
    > makes it all that much more consistent for users and administrators.
    > 
    > Username: john.doe
    > Database: foo.com
    > possible pg_shadow entry #1: john.doe.foo.com
    > possible pg_shadow entry #2: john.doe@foo.com
    > 
    > If people are worried about the sorting, ORDER BY domain, username.
    > My $0.02.  -sc
    
    Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    was used so it looks like a schema based on dbname.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  52. Re: Open 7.3 items

    Sean Chittenden <sean@chittenden.org> — 2002-08-14T00:09:34Z

    > > > Some mentioned using user@dbname, though the idea of sorting made
    > > > several recant their votes.
    > > >
    > > > So, based on the voting, I think dbname.username is an agreed-upon
    > > > feature addition for 7.3.  I will work on a final patch with
    > > > documentation and post it to the patches list for more comment.
    > > 
    > > The nice thing about using an @ sign, amongst being more consistent
    > > with kerberos and email, is that it doesn't preclude the use of .'s in
    > > a database name.  For simplicity's sake, I'd really like to be able to
    > > continue issuing database names that are identical to the domain that
    > > they serve and worry that relying on a "." will either make the use of
    > > a dot in the username or database impossible.  An @ sign, on the other
    > > hand, is the ubiquitously agreed upon username/host separator and
    > > makes it all that much more consistent for users and administrators.
    > > 
    > > Username: john.doe
    > > Database: foo.com
    > > possible pg_shadow entry #1: john.doe.foo.com
    > > possible pg_shadow entry #2: john.doe@foo.com
    > > 
    > > If people are worried about the sorting, ORDER BY domain, username.
    > > My $0.02.  -sc
    > 
    > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > was used so it looks like a schema based on dbname.
    
    Sorry, I know it's a single field and that there is no split()
    function (that I'm aware of), but that seems like such a small and
    easy to fix problem that I personally place a higher value on the more
    standard nomeclature and use of an @ sign.  I understand the value of
    . for schemas and whatnot, but isn't a user going to be in their own
    schema to begin with?  As for the order by, I've got a list of users
    per "account" (sales account), so doing the order by is on two columns
    and the pg_shadow table is generated periodically from our inhouse
    tables.  -sc
    
    -- 
    Sean Chittenden
    
    
  53. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T01:00:10Z

    Sean Chittenden wrote:
    > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > was used so it looks like a schema based on dbname.
    > 
    > Sorry, I know it's a single field and that there is no split()
    > function (that I'm aware of), but that seems like such a small and
    > easy to fix problem that I personally place a higher value on the more
    > standard nomeclature and use of an @ sign.  I understand the value of
    > . for schemas and whatnot, but isn't a user going to be in their own
    > schema to begin with?  As for the order by, I've got a list of users
    > per "account" (sales account), so doing the order by is on two columns
    > and the pg_shadow table is generated periodically from our inhouse
    > tables.  -sc
    
    I have no personal preference between period and @ or whatever.  See if
    you can get some other votes for @ because most left @ when the ORDER BY
    idea came up from Marc.
    
    As for it being a special character, it really isn't because the code
    prepends the database name and a period.  It doesn't look to see if
    there is a period in the already or anything.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  54. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T01:36:43Z

    OK, here is the patch to implement db_user_namespace.  It includes
    documentation.
    
    I had to add to initdb to create a file /data/PG_INSTALLER and have the
    postmaster read that on startup to determine the installing user.
    
    ---------------------------------------------------------------------------
    
    Bruce Momjian wrote:
    > 
    > I would like to address this email.  
    > 
    > Lamar is mentioning that it is unfair to remove a feature without
    > warning.
    > 
    > Let me give a little history.  The secondary password file was created
    > at a time when we didn't encrypt with random salt over the wire, and we
    > had people who wanted to share their /etc/passwd file with PostgreSQL.
    > 
    > Later, people wanted to use the secondary password file for just
    > usernames, so you could list usernames in the file and limit db access
    > by user.  This is the current usage for 99% of secondary password users.
    > This capability is better served in 7.3 with the new USER column in
    > pg_shadow and the ability to specify filenames or groups in that file. 
    > Keeping the secondary password file to specify a user list while a new
    > USER column exists in 7.3 is just confusing to administrators.  Our
    > pg_hba.conf system is pretty complex, so anything we can do to simplify
    > helps.
    > 
    > Now, on to Marc's case, where he does use the file for usernames _and_
    > passwords.  However, he is using it only so he can have more than one
    > person with the same username and restrict access based on the password
    > in the secondary password file.  While this does work, my submitted
    > patch makes this much easier and cleaner.
    > 
    > Marc had mentioned that this should be an initdb flag.  However, our
    > standard procedure is to put stuff in initdb only when it can't be
    > changed after initdb.  While strange, this feature can be
    > enabled-disabled after initdb.  A quick update of pg_shadow can change
    > usernames and you can go in and out of this mode.
    > 
    > Someone talked about pushing this capability into a separate pg_shadow
    > column, and making CREATE/ALTER user and createuser aware of this. 
    > While this can be done, and it sort of becomes user schemas, there isn't
    > enough people wanting this to add complexity to those commands.  A GUC
    > flag will meet most peoples needs at this point.
    > 
    > Some mentioned using user@dbname, though the idea of sorting made
    > several recant their votes.
    > 
    > So, based on the voting, I think dbname.username is an agreed-upon
    > feature addition for 7.3.  I will work on a final patch with
    > documentation and post it to the patches list for more comment.
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
  55. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-14T02:42:49Z

    On Wed, 2002-08-14 at 06:00, Bruce Momjian wrote:
    > Sean Chittenden wrote:
    > > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > > was used so it looks like a schema based on dbname.
    
    IMHO it should look like an user in domain ;)
     
    > > Sorry, I know it's a single field and that there is no split()
    > > function (that I'm aware of), but that seems like such a small and
    > > easy to fix problem that I personally place a higher value on the more
    > > standard nomeclature and use of an @ sign.  I understand the value of
    > > . for schemas and whatnot, but isn't a user going to be in their own
    > > schema to begin with?  As for the order by, I've got a list of users
    > > per "account" (sales account), so doing the order by is on two columns
    > > and the pg_shadow table is generated periodically from our inhouse
    > > tables.  -sc
    > 
    > I have no personal preference between period and @ or whatever.  See if
    > you can get some other votes for @ because most left @ when the ORDER BY
    > idea came up from Marc.
    
    I still like @ . And I posted code that could be put in the pg_user view
    to split out domain you could ORDER BY.
     
    > As for it being a special character, it really isn't because the code
    > prepends the database name and a period.  It doesn't look to see if
    > there is a period in the already or anything.
    -----------
    Hannu
    
    
    
  56. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T04:11:10Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > I have no personal preference between period and @ or whatever.  See if
    > you can get some other votes for @ because most left @ when the ORDER BY
    > idea came up from Marc.
    
    FWIW, I still lean to username@database, so I think we're roughly at a
    tie.  It would be good to get more votes ...
    
    			regards, tom lane
    
    
  57. Re: Open 7.3 items

    Christopher Kings-Lynne <chriskl@familyhealth.com.au> — 2002-08-14T04:15:26Z

    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I have no personal preference between period and @ or whatever.  See if
    > > you can get some other votes for @ because most left @ when the ORDER BY
    > > idea came up from Marc.
    >
    > FWIW, I still lean to username@database, so I think we're roughly at a
    > tie.  It would be good to get more votes ...
    
    Sorry guys, I'm staying out of this one as my vote would be entirely
    arbitrary...
    
    Chris
    
    
    
  58. Re: Open 7.3 items

    Joe Conway <mail@joeconway.com> — 2002-08-14T04:45:37Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > 
    >>I have no personal preference between period and @ or whatever.  See if
    >>you can get some other votes for @ because most left @ when the ORDER BY
    >>idea came up from Marc.
    > 
    > 
    > FWIW, I still lean to username@database, so I think we're roughly at a
    > tie.  It would be good to get more votes ...
    > 
    
    I'm in favor of username@database too.
    
    Joe
    
    
    
    
    
  59. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T04:45:57Z

    OK, the vote is not shifting from '.' to '@'.  Is that how we want to
    go?  I like the pg_user enhancement.  Marc, comments?  This was your baby.
    
    ---------------------------------------------------------------------------
    
    Hannu Krosing wrote:
    > On Wed, 2002-08-14 at 06:00, Bruce Momjian wrote:
    > > Sean Chittenden wrote:
    > > > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > > > was used so it looks like a schema based on dbname.
    > 
    > IMHO it should look like an user in domain ;)
    >  
    > > > Sorry, I know it's a single field and that there is no split()
    > > > function (that I'm aware of), but that seems like such a small and
    > > > easy to fix problem that I personally place a higher value on the more
    > > > standard nomeclature and use of an @ sign.  I understand the value of
    > > > . for schemas and whatnot, but isn't a user going to be in their own
    > > > schema to begin with?  As for the order by, I've got a list of users
    > > > per "account" (sales account), so doing the order by is on two columns
    > > > and the pg_shadow table is generated periodically from our inhouse
    > > > tables.  -sc
    > > 
    > > I have no personal preference between period and @ or whatever.  See if
    > > you can get some other votes for @ because most left @ when the ORDER BY
    > > idea came up from Marc.
    > 
    > I still like @ . And I posted code that could be put in the pg_user view
    > to split out domain you could ORDER BY.
    >  
    > > As for it being a special character, it really isn't because the code
    > > prepends the database name and a period.  It doesn't look to see if
    > > there is a period in the already or anything.
    > -----------
    > Hannu
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  60. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-14T06:11:59Z

    On Wed, 2002-08-14 at 12:45, Sean Chittenden wrote:
    > > > > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > > > > was used so it looks like a schema based on dbname.
    > > 
    > > IMHO it should look like an user in domain ;)
    > 
    > Agreed, but there is something to be said for doing a sort of users
    > per domain.  This wouldn't be an issue, I don't think, if there was a
    > split_before() and split_after() like functions.
    > 
    > # SELECT split_before('user@domain.com','@'), split_after('user@domain.com', '@');
    >  ?column? |  ?column?
    > ----------+------------
    >  user     | domain.com
    > 
    > What would you guys say to submissions for a patch that would add the
    > function listed above? 
    
    create function split_before(text,text) returns text as '
     select case when (strpos($1,$2) > 0)
                 then substr($1,1,strpos($1,$2)-1)
                 else $1
                  end as usename
    ' language 'SQL';
    
    create function split_after(text,text) returns text as '
     select case when (strpos($1,$2) > 0)
                 then substr($1,strpos($1,$2)+1)
                 else ''''
                  end as usedomain
    ' language 'SQL' ;
    
    hannu=# select split_before('me@somewhere','@'),
    split_after('me@somewhere','@');
     split_before | split_after 
    --------------+-------------
     me           | somewhere
    (1 row)
    
    -------------
    Hannu
    
    
    
  61. Re: Open 7.3 items

    Sean Chittenden <sean@chittenden.org> — 2002-08-14T07:45:47Z

    > > > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > > > was used so it looks like a schema based on dbname.
    > 
    > IMHO it should look like an user in domain ;)
    
    Agreed, but there is something to be said for doing a sort of users
    per domain.  This wouldn't be an issue, I don't think, if there was a
    split_before() and split_after() like functions.
    
    # SELECT split_before('user@domain.com','@'), split_after('user@domain.com', '@');
     ?column? |  ?column?
    ----------+------------
     user     | domain.com
    
    What would you guys say to submissions for a patch that would add the
    function listed above?  Maybe just a function called get_user(text)
    and get_domain(text)? ::shrug:: Just some thoughts since there is
    validity to being able to parse/operate on this data efficiently.  If
    those functions existed, then I think everyone would be able to have
    their pie as they want it.  -sc
    
    -- 
    Sean Chittenden
    
    
  62. Re: Open 7.3 items

    Sean Chittenden <sean@chittenden.org> — 2002-08-14T09:03:42Z

    > > > > > > Well, they aren't separate fields so you can't ORDER BY domain.  The dot
    > > > > > > was used so it looks like a schema based on dbname.
    > > > 
    > > > IMHO it should look like an user in domain ;)
    > > 
    > > Agreed, but there is something to be said for doing a sort of users
    > > per domain.  This wouldn't be an issue, I don't think, if there was a
    > > split_before() and split_after() like functions.
    > > 
    > > # SELECT split_before('user@domain.com','@'), split_after('user@domain.com', '@');
    > >  ?column? |  ?column?
    > > ----------+------------
    > >  user     | domain.com
    > > 
    > > What would you guys say to submissions for a patch that would add the
    > > function listed above? 
    > 
    > create function split_before(text,text) returns text as '
    >  select case when (strpos($1,$2) > 0)
    >              then substr($1,1,strpos($1,$2)-1)
    >              else $1
    >               end as usename
    > ' language 'SQL';
    > 
    > create function split_after(text,text) returns text as '
    >  select case when (strpos($1,$2) > 0)
    >              then substr($1,strpos($1,$2)+1)
    >              else ''''
    >               end as usedomain
    > ' language 'SQL' ;
    > 
    > hannu=# select split_before('me@somewhere','@'),
    > split_after('me@somewhere','@');
    >  split_before | split_after 
    > --------------+-------------
    >  me           | somewhere
    > (1 row)
    
    Oh that was handy and fast!  I didn't know of strpos().  Cool, who
    says 'ya can't learn something every day?  :~) Now with an alias or
    subselect, it should be very easy to order users in a domain in any
    way that SQL allows.  :~) Thanks Hannu.  -sc
    
    -- 
    Sean Chittenden
    
    
  63. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-14T12:08:46Z

    I'm going to vote for either @ or %.
    
    On Wed, 2002-08-14 at 00:11, Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I have no personal preference between period and @ or whatever.  See if
    > > you can get some other votes for @ because most left @ when the ORDER BY
    > > idea came up from Marc.
    > 
    > FWIW, I still lean to username@database, so I think we're roughly at a
    > tie.  It would be good to get more votes ...
    
    
    
    
  64. Re: Open 7.3 items

    ngpg@grymmjack.com — 2002-08-14T13:46:59Z

     
    > OK, the vote is not shifting from '.' to '@'.  Is that how we want to
    > go?  I like the pg_user enhancement.  Marc, comments?  This was your
    > baby. 
    > 
    
    Would it be hard to setup an internal PG variable for the actual character 
    to be used?
    
    
  65. Re: Open 7.3 items

    Joe Conway <mail@joeconway.com> — 2002-08-14T14:08:12Z

    Sean Chittenden wrote:
    > Agreed, but there is something to be said for doing a sort of users
    > per domain.  This wouldn't be an issue, I don't think, if there was a
    > split_before() and split_after() like functions.
    > 
    > # SELECT split_before('user@domain.com','@'), split_after('user@domain.com', '@');
    >  ?column? |  ?column?
    > ----------+------------
    >  user     | domain.com
    > 
    > What would you guys say to submissions for a patch that would add the
    > function listed above?  Maybe just a function called get_user(text)
    > and get_domain(text)? ::shrug:: Just some thoughts since there is
    > validity to being able to parse/operate on this data efficiently.  If
    > those functions existed, then I think everyone would be able to have
    > their pie as they want it.  -sc
    > 
    
    I already have a function in contrib/dblink, currently called 
    dblink_strtok(), which I was going to turn into a builtin function per 
    recent discussion (renamed of course). It would work for this but is 
    more general:
    
    dblink_strtok(text inputstring, text delimiter, int posn) RETURNS text
    
    Inputs
       inputstring
         any string you want to parse a token out of;
         e.g. 'f=1&g=3&h=4'
       delimiter
         a single character to use as the delimiter;
         e.g. '&' or '='
       posn
         the position of the token of interest, 0 based;
         e.g. 1
    
    Should it be called splitstr() (similar to substr())?
    
    Joe
    
    
    
  66. Re: Open 7.3 items

    Andrew Sullivan <andrew@libertyrms.info> — 2002-08-14T14:23:24Z

    On Wed, Aug 14, 2002 at 12:11:10AM -0400, Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I have no personal preference between period and @ or whatever.  See if
    > > you can get some other votes for @ because most left @ when the ORDER BY
    > > idea came up from Marc.
    > 
    > FWIW, I still lean to username@database, so I think we're roughly at a
    > tie.  It would be good to get more votes ...
    
    My non-coding vote goes to user@database, too.
    
    A
    
    -- 
    ----
    Andrew Sullivan                               87 Mowat Avenue 
    Liberty RMS                           Toronto, Ontario Canada
    <andrew@libertyrms.info>                              M6K 3E3
                                             +1 416 646 3304 x110
    
    
    
  67. Re: Open 7.3 items

    Hannu Krosing <hannu@tm.ee> — 2002-08-14T15:27:37Z

    On Wed, 2002-08-14 at 16:08, Joe Conway wrote:
    > I already have a function in contrib/dblink, currently called 
    > dblink_strtok(), which I was going to turn into a builtin function per 
    > recent discussion (renamed of course). It would work for this but is 
    > more general:
    > 
    > dblink_strtok(text inputstring, text delimiter, int posn) RETURNS text
    > 
    > Inputs
    >    inputstring
    >      any string you want to parse a token out of;
    >      e.g. 'f=1&g=3&h=4'
    >    delimiter
    >      a single character to use as the delimiter;
    >      e.g. '&' or '='
    >    posn
    >      the position of the token of interest, 0 based;
    >      e.g. 1
    > 
    > Should it be called splitstr() (similar to substr())?
    
    What about functions
    
    1. split(text,text,int) returns text
    
    2. split(text,text) returns text[]
    
    and why not
    
    3. split(text,text,text) returns text
    
    which returns text from $1 delimited by $2 and $3
    
    -------------
    Hannu
    
    
    
  68. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T16:12:23Z

    On Tuesday 13 August 2002 07:21 pm, Sander Steffann wrote:
    > I think choosing . as the delimiter is a dangerous choice... People have
    > not expected it to be special until now, so maybe another character can be
    > chosen? I would suggest a colon if possible, so you would get dbname:user.
    > I don't expect that a lot of people use a colon as the dbname or username,
    > but I could be very wrong here.
    
    The choices have been enumerated as . and @.  I personally vote for either:
    user@db
    OR
    db!user
    (sorry, having been a UUCP node admin shows at times...)  To my eyes the bang 
    notation is more of a 'divider' than the @.  Unless there is some _really_ 
    good reason to not use !, that is. :-)
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  69. Re: Open 7.3 items

    Alvaro Herrera <alvherre@atentus.com> — 2002-08-14T16:25:08Z

    ngpg@grymmjack.com dijo: 
    
    > > OK, the vote is not shifting from '.' to '@'.  Is that how we want to
    > > go?  I like the pg_user enhancement.  Marc, comments?  This was your
    > > baby. 
    > 
    > Would it be hard to setup an internal PG variable for the actual character 
    > to be used?
    
    That'd be good, because almost any character people wants to use as
    delimiter is actually valid in database and user names.  So giving
    people a choice is a good thing.
    
    For example someone may want to use email address as usernames, and that
    messes up the splitting on @.
    
    -- 
    Alvaro Herrera (<alvherre[a]atentus.com>)
    "Cuando miro a alguien, mas me atrae como cambia que quien es" (J. Binoche)
    
    
    
  70. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T17:04:20Z

    We are clearly going for user@db now.
    
    ---------------------------------------------------------------------------
    
    Lamar Owen wrote:
    > On Tuesday 13 August 2002 07:21 pm, Sander Steffann wrote:
    > > I think choosing . as the delimiter is a dangerous choice... People have
    > > not expected it to be special until now, so maybe another character can be
    > > chosen? I would suggest a colon if possible, so you would get dbname:user.
    > > I don't expect that a lot of people use a colon as the dbname or username,
    > > but I could be very wrong here.
    > 
    > The choices have been enumerated as . and @.  I personally vote for either:
    > user@db
    > OR
    > db!user
    > (sorry, having been a UUCP node admin shows at times...)  To my eyes the bang 
    > notation is more of a 'divider' than the @.  Unless there is some _really_ 
    > good reason to not use !, that is. :-)
    > -- 
    > Lamar Owen
    > WGCR Internet Radio
    > 1 Peter 4:11
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  71. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-14T17:16:46Z

    Bruce Momjian writes:
    
    > I had to add to initdb to create a file /data/PG_INSTALLER and have the
    > postmaster read that on startup to determine the installing user.
    
    I object to treating one user specially.  There should be a general
    mechanism, such as a separate column in pg_shadow.
    
    I also object to fixing the name during initdb.  We just got rid of that
    requirement.
    
    If it mattered, I would also object to the choice of the file name.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  72. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T17:19:57Z

    OK, what I didn't want to do we to over-complexify something that is for
    only a few users.  In a way that user has to be special for this case
    because of the requirement that at least one person be able to connect
    when you flip that flag.
    
    Also, I don't want to add a column to pg_shadow.  Seems like overkill.
    
    Please suggest another name for the file.
    
    Basically, I am not going to stop working on something when one person
    objects or this will never get done, and I think we have had enough
    feedback on this that people do want this done.
    
    ---------------------------------------------------------------------------
    
    Peter Eisentraut wrote:
    > Bruce Momjian writes:
    > 
    > > I had to add to initdb to create a file /data/PG_INSTALLER and have the
    > > postmaster read that on startup to determine the installing user.
    > 
    > I object to treating one user specially.  There should be a general
    > mechanism, such as a separate column in pg_shadow.
    > 
    > I also object to fixing the name during initdb.  We just got rid of that
    > requirement.
    > 
    > If it mattered, I would also object to the choice of the file name.
    > 
    > -- 
    > Peter Eisentraut   peter_e@gmx.net
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  73. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T17:35:25Z

    This email brings up another issue I have seen recently.  The use of the
    word "object", "strongly object", or "*object*" with stars is a very
    confrontational way to express things.  It does not foster discussion;
    it really puts your heal in the ground and presents a very unswerving
    attitude when it really isn't necessary nor valuable.
    
    It is not just this email, but several people on this list who are doing
    that now, and it is making for more negative discussions.  Thomas has
    mentioned it too.
    
    As I have said before, everyone gets one vote.  It doesn't matter how
    hard to "object" to something. It is the force of your argument that
    affects the votes, not how strongly you express your dislike of
    something.
    
    One effect of this environment is that you end up coding to avoid
    "objections" rather than coding to meet users needs.  Certainly the
    people who express objections are providing valuable feedback to help
    improve patches/features, but it should be done in a way that doesn't
    give the impression they are in a courtroom and when you post something
    incorrect, some lawyer is going to jump up and yell "object".
    
    ---------------------------------------------------------------------------
    
    Peter Eisentraut wrote:
    > Bruce Momjian writes:
    > 
    > > I had to add to initdb to create a file /data/PG_INSTALLER and have the
    > > postmaster read that on startup to determine the installing user.
    > 
    > I object to treating one user specially.  There should be a general
    > mechanism, such as a separate column in pg_shadow.
    > 
    > I also object to fixing the name during initdb.  We just got rid of that
    > requirement.
    > 
    > If it mattered, I would also object to the choice of the file name.
    > 
    > -- 
    > Peter Eisentraut   peter_e@gmx.net
    > 
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 3: if posting/reading through Usenet, please send an appropriate
    > subscribe-nomail command to majordomo@postgresql.org so that your
    > message can get through to the mailing list cleanly
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  74. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T17:48:56Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > In a way that user has to be special for this case
    > because of the requirement that at least one person be able to connect
    > when you flip that flag.
    
    Why does anyone need to be special?  The behavior should be to try the
    given user name, and if that's not found then to try user@db.  I see no
    need to special-case any user.
    
    > Basically, I am not going to stop working on something when one person
    > objects or this will never get done,
    
    He didn't say to stop working on it.  He said to fix the misdesigned
    parts.  And I quite agree that those parts are misdesigned.
    
    			regards, tom lane
    
    
  75. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-14T18:03:25Z

    I believe the dictionary meaning of 'object' in this context would be 'a
    cause for concern or attention'.  Each of Peters uses of the word is
    highly appropriate, as he was concerned and I'd agree with the
    sentiments that those concepts needed attention.
    
    Anyway, object with stars and strongly object are definitely leaning
    towards abuse of the word.
    
    
    On Wed, 2002-08-14 at 13:35, Bruce Momjian wrote:
    > 
    > This email brings up another issue I have seen recently.  The use of the
    > word "object", "strongly object", or "*object*" with stars is a very
    
    > > > I had to add to initdb to create a file /data/PG_INSTALLER and have the
    > > > postmaster read that on startup to determine the installing user.
    > > 
    > > I object to treating one user specially.  There should be a general
    > > mechanism, such as a separate column in pg_shadow.
    > > 
    > > I also object to fixing the name during initdb.  We just got rid of that
    > > requirement.
    > > 
    > > If it mattered, I would also object to the choice of the file name.
    
    
    
    
    
  76. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T18:24:50Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > In a way that user has to be special for this case
    > > because of the requirement that at least one person be able to connect
    > > when you flip that flag.
    > 
    > Why does anyone need to be special?  The behavior should be to try the
    > given user name, and if that's not found then to try user@db.  I see no
    > need to special-case any user.
    
    
    Oh, so try it with and without.  I can do that, but it seems more of a
    security problem where you were trying two names instead of one.  Do
    people like that?  It is easy to do, except for the fact we have to
    match pg_hba.conf with a username, though we could do the double-test
    there too, if that isn't too weird.
    
    > > Basically, I am not going to stop working on something when one person
    > > objects or this will never get done,
    > 
    > He didn't say to stop working on it.  He said to fix the misdesigned
    > parts.  And I quite agree that those parts are misdesigned.
    
    I will fix them as long as the fixes don't generate new objections, like
    adding a new column to pg_shadow.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  77. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T18:34:38Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > Oh, so try it with and without.  I can do that, but it seems more of a
    > security problem where you were trying two names instead of one.  Do
    > people like that?
    
    The nice thing about it is you can have any combination of people with
    installation-wide access (create them as joeblow) and people with
    one-database access (create them as joeblow@joesdatabase).  A special
    case for only the postgres user is much less flexible.
    
    > It is easy to do, except for the fact we have to
    > match pg_hba.conf with a username, though we could do the double-test
    > there too, if that isn't too weird.
    
    It'd probably be better to first look at the flat-file copy of pg_shadow
    to determine whether user or user@database is the form to use, and then
    run through pg_hba.conf only once using the correct form.  Otherwise
    there are going to be all sorts of weird corner cases: user might match
    a different pg_hba row than user@database does.
    
    Also, if you do it this way then the substitution only has to be done in
    one place: you can pass down the correct form to the backend, which'd
    otherwise have to repeat the test to see which username is found.
    
    			regards, tom lane
    
    
  78. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T18:38:04Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > Oh, so try it with and without.  I can do that, but it seems more of a
    > > security problem where you were trying two names instead of one.  Do
    > > people like that?
    > 
    > The nice thing about it is you can have any combination of people with
    > installation-wide access (create them as joeblow) and people with
    > one-database access (create them as joeblow@joesdatabase).  A special
    > case for only the postgres user is much less flexible.
    
    Oh, yes, clearly a nice addition, but see below.
    
    > > It is easy to do, except for the fact we have to
    > > match pg_hba.conf with a username, though we could do the double-test
    > > there too, if that isn't too weird.
    > 
    > It'd probably be better to first look at the flat-file copy of pg_shadow
    > to determine whether user or user@database is the form to use, and then
    > run through pg_hba.conf only once using the correct form.  Otherwise
    > there are going to be all sorts of weird corner cases: user might match
    > a different pg_hba row than user@database does.
    
    Problem is that pg_shadow flat file _only_ has users with passwords.  I
    do a btree search of that file, but I am not sure I want to add a dump
    of _all_ users just to allow this.  Do we?
    
    > Also, if you do it this way then the substitution only has to be done in
    > one place: you can pass down the correct form to the backend, which'd
    > otherwise have to repeat the test to see which username is found.
    
    Yes, certainly a big win.  What we _could_ do is to allow connections to
    template1 be unsuffixed by the dbname, but that makes everyone
    connecting to template1 have problems, and just seemed too weird.
    
    Ideas?
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  79. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-14T18:40:40Z

    On Wed, 2002-08-14 at 14:34, Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > Oh, so try it with and without.  I can do that, but it seems more of a
    > > security problem where you were trying two names instead of one.  Do
    > > people like that?
    > 
    > The nice thing about it is you can have any combination of people with
    > installation-wide access (create them as joeblow) and people with
    > one-database access (create them as joeblow@joesdatabase).  A special
    > case for only the postgres user is much less flexible.
    > 
    > > It is easy to do, except for the fact we have to
    > > match pg_hba.conf with a username, though we could do the double-test
    > > there too, if that isn't too weird.
    > 
    > It'd probably be better to first look at the flat-file copy of pg_shadow
    > to determine whether user or user@database is the form to use, and then
    > run through pg_hba.conf only once using the correct form.  Otherwise
    > there are going to be all sorts of weird corner cases: user might match
    > a different pg_hba row than user@database does.
    > 
    > Also, if you do it this way then the substitution only has to be done in
    > one place: you can pass down the correct form to the backend, which'd
    > otherwise have to repeat the test to see which username is found.
    
    If there is a global 'user', then a database specific 'user@database'
    should be rejected shouldn't it?  Otherwise we wind up with two
    potential 'user@database' users (globals users are really user@<each
    database>) but with a single ID.
    
    
    
    
    
  80. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T18:51:36Z

    On Wednesday 14 August 2002 02:38 pm, Bruce Momjian wrote:
    > Tom Lane wrote:
    > > The nice thing about it is you can have any combination of people with
    > > installation-wide access (create them as joeblow) and people with
    > > one-database access (create them as joeblow@joesdatabase).  A special
    > > case for only the postgres user is much less flexible.
    
    > > Also, if you do it this way then the substitution only has to be done in
    > > one place: you can pass down the correct form to the backend, which'd
    > > otherwise have to repeat the test to see which username is found.
    
    > Yes, certainly a big win.  What we _could_ do is to allow connections to
    > template1 be unsuffixed by the dbname, but that makes everyone
    > connecting to template1 have problems, and just seemed too weird.
    
    > Ideas?
    
    Appending '@template1' to unadorned usernames, and giving inherited rights 
    across the installation to users with template1 rights?  Then you have the 
    unadorned 'lowen' becomes 'lowen@template1' -- but lowen@pari wouldn't have 
    access to template1, right?  Or am I misunderstanding the feature?
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  81. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T19:04:35Z

    Lamar Owen <lamar.owen@wgcr.org> writes:
    > Appending '@template1' to unadorned usernames, and giving inherited rights 
    > across the installation to users with template1 rights?  Then you have the 
    > unadorned 'lowen' becomes 'lowen@template1' -- but lowen@pari wouldn't have 
    > access to template1, right?
    
    If not, standard things like "psql -l" won't work for lowen@pari.  I don't
    think we can get away with a scheme that depends on disallowing access
    to template1 for most people.
    
    It should also be noted that the whole point of this little project was
    to do something *simple* ... checking access to some other database to
    decide what we will allow is getting a bit far afield from simple.
    
    			regards, tom lane
    
    
  82. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T19:05:40Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > Problem is that pg_shadow flat file _only_ has users with passwords.  I
    > do a btree search of that file, but I am not sure I want to add a dump
    > of _all_ users just to allow this.  Do we?
    
    Why not?  Doesn't seem like a big penalty ...
    
    			regards, tom lane
    
    
  83. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-14T19:29:38Z

    On Wed, 14 Aug 2002, Tom Lane wrote:
    
    > Lamar Owen <lamar.owen@wgcr.org> writes:
    > > Appending '@template1' to unadorned usernames, and giving inherited rights
    > > across the installation to users with template1 rights?  Then you have the
    > > unadorned 'lowen' becomes 'lowen@template1' -- but lowen@pari wouldn't have
    > > access to template1, right?
    >
    > If not, standard things like "psql -l" won't work for lowen@pari.  I don't
    > think we can get away with a scheme that depends on disallowing access
    > to template1 for most people.
    >
    > It should also be noted that the whole point of this little project was
    > to do something *simple* ... checking access to some other database to
    > decide what we will allow is getting a bit far afield from simple.
    
    Hate to complicate things more, but back to a global username, say
    you have user "lowen" that should have access to all databases.  What
    happens if there's already a lowen@somedb that's an unprivileged user.
    Assuming lowen is a db superuser, what happens in somedb?  If there's
    a global user "lowen" and you try to create a lowen@somedb later, will
    it be allowed?
    
    One possible simplification would be to make the username the full
    username "lowen@somedb", "lowen", ...  Right now we can create a
    "lowen@somedb" and it's a different user than "lowen" and we can
    already restrict a user to one database, can't we?  Hmmm.  Just
    checked and I guess not - I thought we had a record type of "user".
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  84. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T19:31:07Z

    On Wednesday 14 August 2002 03:04 pm, Tom Lane wrote:
    > Lamar Owen <lamar.owen@wgcr.org> writes:
    > > Appending '@template1' to unadorned usernames, and giving inherited
    > > rights across the installation to users with template1 rights?  Then you
    > > have the unadorned 'lowen' becomes 'lowen@template1' -- but lowen@pari
    > > wouldn't have access to template1, right?
    
    > If not, standard things like "psql -l" won't work for lowen@pari.  I don't
    > think we can get away with a scheme that depends on disallowing access
    > to template1 for most people.
    
    Ok, maybe I'm really off base, but if I connect to database pari as 
    lowen@pari, isn't pg_database present there?  I just tried here:
    createdb pari
    psql pari
    Welcome to psql, the PostgreSQL interactive terminal.
    
    Type:  \copyright for distribution terms
           \h for help with SQL commands
           \? for help on internal slash commands
           \g or terminate with semicolon to execute query
           \q to quit
    
    pari=# select datname from pg_database;
      datname
    ------------
     acs-test
     maillabels
     testing2
     template1
     template0
     pari
    (6 rows)
    
    So AFAICT if I were psql I would parse the unadorned lowen as 
    'lowen@template1' and connect to template1 if not otherwise specified.  If 
    the fully qualified database user (FQDU) is present, parse the database name 
    out and connect to that database, then issue the SQL to do the -l or 
    whatever.  The @pari would just override the normal default of template1, 
    right?  So a 'psql -U lowen@pari -l '  would connect to database pari 
    (subject to permissions) and select datname from pg_database there.
    
    What else am I missing, Tom?  ISTM I don't need access to template1 -- 
    although I wasn't necessarily suggesting eliminating that.  I was more 
    suggesting:
    lowen@pari has read access to those parts of template1 necessary for normal 
    functioning, full access (subject ot GRANT/REVOKE) of pari, and no access to 
    other databases;
    lowen@template1 has access across the install (subject to GRANT/REVOKE, of 
    course). lowen@template1 = lowen (unadorned).  That was the answer, I 
    thought, to the question Bruce had.  There would be NO unadorned usernames 
    then, and no special handling EXCEPT of the template1 database, which is 
    already a special case.
    
    Now, can we support the idea of 'postgres@pari' being a superuser for pari but 
    not for the rest of the install?  Meaning no CREATE DATABASE right, as that 
    would require write access to template1?  That's OK I believe, as I would 
    assume a 'tied to a database' superuser shouldn't be allowed to create a new 
    database to which he isn't going to have access..... The full ramifications 
    of this structure could prove interesting.
    
    The supersuperuser 'postgres' becomes postgres@template1 -- template1 becoming 
    the consistent default database (for connecting as well as user membership).  
    As anything added to template1 becomes part of any subsequently added 
    databases, being a user in template1 becomes an installation-wide user.
    
    And the user never really has to explicitly state @template1 -- they could 
    just leave off the @template1 and everything works as it does now.
    
    Yes, there are complications, but not great ones, no?
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  85. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T19:32:15Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > Problem is that pg_shadow flat file _only_ has users with passwords.  I
    > > do a btree search of that file, but I am not sure I want to add a dump
    > > of _all_ users just to allow this.  Do we?
    > 
    > Why not?  Doesn't seem like a big penalty ...
    
    Well, in most cases pg_pwd doesn't even get created unless someone has a
    password.  We would be creating that file in all cases, or at least in
    all cases wher db_user_namespace is set, and again, that is a SIGHUP
    param, so you would need to make sure pg_pwd has the right contents if
    it was enabled during a sighup.  Frankly, I would recommend a new file
    that just contains user names and is always created.
    
    We are basically heading down the road to complexity here.
    
    In fact, pg_hba.conf is just a microcosm of how we are going to handle
    pg_shadow matching.  If we create dave@db1, then when dave tries to
    connect to db1, he comes in as dave@db1, but when he goes to connect to
    db2, if there is a plain 'dave', he will connect as 'dave' to db2, if
    possible.
    
    If people are OK with that, then I can easily push the double-testing
    down into the authentication system.  It merely means testing the new
    pg_hba.conf USER column for two values, and pg_shadow for two values,
    but I would test with @db first.
    
    The double testing just seems strange to me because it splits the user
    namespace into two parts one with @ and one without, and conflicting
    user parts in the two namespaces do interact when @db does not match. 
    That seems strange, but hey, if no one else thinks it is strange, it is
    easy to code.  It is basically the same as testing pg_pwd, just doing it
    later in the code.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  86. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T19:36:00Z

    On Wednesday 14 August 2002 03:29 pm, Vince Vielhaber wrote:
    > Hate to complicate things more, but back to a global username, say
    > you have user "lowen" that should have access to all databases.  What
    > happens if there's already a lowen@somedb that's an unprivileged user.
    > Assuming lowen is a db superuser, what happens in somedb?  If there's
    > a global user "lowen" and you try to create a lowen@somedb later, will
    > it be allowed?
    
    If the user 'lowen' is then expanded to 'lowen@template1' it would be stored 
    that way -- and lowen@template1 is different from lowen@pari, for instance.  
    The lowen@template1 user could be a superuser and lowen@pari might not -- but 
    they become distinct users.  Although I do understand the difficulty if the 
    FQDU isn't stored in full in the appropriate places.  So I guess the solution 
    is that wherever a user name is to be stored, the fully qualified form must 
    be used and checked against, with @template1 being a 'this user is 
    everywhere' shorthand.
    
    But maybe I'm just misunderstanding the implementation.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  87. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T19:49:19Z

    Lamar Owen wrote:
    > On Wednesday 14 August 2002 03:29 pm, Vince Vielhaber wrote:
    > > Hate to complicate things more, but back to a global username, say
    > > you have user "lowen" that should have access to all databases.  What
    > > happens if there's already a lowen@somedb that's an unprivileged user.
    > > Assuming lowen is a db superuser, what happens in somedb?  If there's
    > > a global user "lowen" and you try to create a lowen@somedb later, will
    > > it be allowed?
    > 
    > If the user 'lowen' is then expanded to 'lowen@template1' it would be stored 
    > that way -- and lowen@template1 is different from lowen@pari, for instance.  
    > The lowen@template1 user could be a superuser and lowen@pari might not -- but 
    > they become distinct users.  Although I do understand the difficulty if the 
    > FQDU isn't stored in full in the appropriate places.  So I guess the solution 
    > is that wherever a user name is to be stored, the fully qualified form must 
    > be used and checked against, with @template1 being a 'this user is 
    > everywhere' shorthand.
    
    Yes, Vince is on to something with his quote above.
    
    If we have users with and without @, we get into the situation where
    users without @ may become users with @ when their usernames collide
    with existing user/db combinations already created.  The point is that
    those two namespaces do collide and will cause confusion.
    
    Then you start to get into the situation where you always add @ and make
    @template1 a special case.  However, remember that this flag can be
    turned on and off after initdb, so you need to be able to get in to set
    things up without great complexity _and_ the @template1 would not be
    passed in from the client, if for no other reason that the username is
    only 32 characters. It is the backend doing the flagging, and therefore
    the user can't say 'I am dave@templatge1' vs 'I am dave@connectdb'.
    
    This is how I got to the installuser hack in the first place.  In fact,
    even the install user, typically 'postgres' has a problem because if you
    create 'postgres@db1', 'postgres' will have trouble connecing to db1 as
    themselves. I think we can live with one user who is special/global, but
    not more than one because of the confusion it would create.
    
    I can change the way this works, but we need a solution without holes.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  88. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-14T19:55:15Z

    On Wed, 14 Aug 2002, Lamar Owen wrote:
    
    > On Wednesday 14 August 2002 03:29 pm, Vince Vielhaber wrote:
    > > Hate to complicate things more, but back to a global username, say
    > > you have user "lowen" that should have access to all databases.  What
    > > happens if there's already a lowen@somedb that's an unprivileged user.
    > > Assuming lowen is a db superuser, what happens in somedb?  If there's
    > > a global user "lowen" and you try to create a lowen@somedb later, will
    > > it be allowed?
    >
    > If the user 'lowen' is then expanded to 'lowen@template1' it would be stored
    > that way -- and lowen@template1 is different from lowen@pari, for instance.
    > The lowen@template1 user could be a superuser and lowen@pari might not -- but
    > they become distinct users.  Although I do understand the difficulty if the
    > FQDU isn't stored in full in the appropriate places.  So I guess the solution
    > is that wherever a user name is to be stored, the fully qualified form must
    > be used and checked against, with @template1 being a 'this user is
    > everywhere' shorthand.
    >
    > But maybe I'm just misunderstanding the implementation.
    
    I may be too, but what's wrong with just "lowen" being shorthand for
    'this user is everywhere'?  Does it also mean that we'd have a user
    postgres@template1?
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  89. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T20:34:13Z

    On Wednesday 14 August 2002 03:55 pm, Vince Vielhaber wrote:
    > On Wed, 14 Aug 2002, Lamar Owen wrote:
    > > If the user 'lowen' is then expanded to 'lowen@template1' it would be
    > > stored that way -- and lowen@template1 is different from lowen@pari, for
    
    > > But maybe I'm just misunderstanding the implementation.
    >
    > I may be too, but what's wrong with just "lowen" being shorthand for
    > 'this user is everywhere'?  Does it also mean that we'd have a user
    > postgres@template1?
    
    WE could still use the form without @template1, but the backend would assume 
    the @template1 user was being meant when the unqualified shorthand was used.  
    So the former plain 'postgres' user could still be such to us, to client 
    programs, etc, but the backend would assume that that meant 
    postgres@template1 -- no namespace collision, and the special case is that 
    anyone@template1 has the behavior the unadorned plain user now has.
    
    I do see Bruce's points, however.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  90. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-14T21:01:06Z

    On Wednesday 14 August 2002 03:49 pm, Bruce Momjian wrote:
    > Lamar Owen wrote:
    > > On Wednesday 14 August 2002 03:29 pm, Vince Vielhaber wrote:
    > > > Hate to complicate things more, but back to a global username, say
    > > > you have user "lowen" that should have access to all databases.  What
    
    > > places.  So I guess the solution is that wherever a user name is to be
    > > stored, the fully qualified form must be used and checked against, with
    > > @template1 being a 'this user is everywhere' shorthand.
    
    > Yes, Vince is on to something with his quote above.
    
    > If we have users with and without @, we get into the situation where
    > users without @ may become users with @ when their usernames collide
    > with existing user/db combinations already created.  The point is that
    > those two namespaces do collide and will cause confusion.
    
    But that's the exact problem I was trying to address -- as far as the backend 
    is concerned, there isn't a user without @ -- the incoming connection from a 
    user without @ is translated into a connection coming from user@template1.
    
    > Then you start to get into the situation where you always add @ and make
    > @template1 a special case.  However, remember that this flag can be
    > turned on and off after initdb, so you need to be able to get in to set
    > things up without great complexity _and_ the @template1 would not be
    > passed in from the client, if for no other reason that the username is
    > only 32 characters. It is the backend doing the flagging, and therefore
    > the user can't say 'I am dave@templatge1' vs 'I am dave@connectdb'.
    
    Ok, how do I as a client specify the @dbname for the user?  By the database 
    I'm connecting to?  That IS a wrinkle.  But it does make sense, as lowen@pari 
    won't be able to connect to any other database, right?  So, where's this new 
    notation going to get used, again?
    
    I must have misunderstood something.
    
    So, if we have a namespace collision -- then we have to make the 
    implementation have the restriction that a global username can't exist as a 
    database-specific username -- but two or more database-specific usernames can 
    be the same.  So, have a trigger on insertion of a user that checks for an 
    existing user attached to template1 (again, for consistency -- installation 
    wide templates are in template1 -- installation-wide users should be too) -- 
    and then aborts the CREATE USER if so.
    
    > This is how I got to the installuser hack in the first place.  In fact,
    > even the install user, typically 'postgres' has a problem because if you
    > create 'postgres@db1', 'postgres' will have trouble connecing to db1 as
    > themselves. I think we can live with one user who is special/global, but
    > not more than one because of the confusion it would create.
    
    If you say CREATE USER lowen@pari for the syntax, the create user trips the 
    trigger, which checks for lowen@template1 and aborts if so.  CREATE USER 
    lowen@template1 does the same, checking for ANY user lowen.  Namespace 
    collision averted?  CREATE USER lowen would be the same as CREATE USER 
    lowen@connecteddb, so that the subsuperuser for connecteddb can just CREATE 
    USER without qualifying -- the command line createdb could take the @dbname 
    argument, splitting it out and connecting to the proper database.  This has 
    ramifications, I admit.  And just saying that unqualified CREATE USER's 
    should create the user@template1 introduces its own problems.
    
    > I can change the way this works, but we need a solution without holes.
    
    Trigger on the holes.  But if I can't (or shouldn't) be able to specify the 
    @dbname from the client, there is GOING to be a namespace collision if 
    installation-wide users of ANY name are allowed (which is what you've already 
    said -- just repeating for emphasis).  Or we will have to forbid the postgres 
    user from being reused -- trigger on CREATE USER and abort if user=postgres, 
    I guess.
    
    Now as to the toggling of the feature -- what happens when you have lowen@pari 
    and lowen@wgcr coexisting, and you turn off the feature?  Which password 
    becomes valid for the resultant singular user lowen?  IMHO, if two or more 
    users of the same name occurs, then you shouldn't be able to turn the feature 
    off.
    
    I know you've already put alot of work into this, Bruce.  But what if the 
    feature isn't toggled, but always there, just waiting to be exploited by 
    CREATE USER user@db, with the default CREATE USER always putting the user 
    into association with the currently connected database?  Is there bad 
    overhead involved?  Is it something that could break installations not using 
    the feature?  Or should CREATE USER with an unqualified username default to 
    @template1 (what I originally thought it should).
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  91. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T21:44:28Z

    Lamar Owen <lamar.owen@wgcr.org> writes:
    > So the former plain 'postgres' user could still be such to us, to client 
    > programs, etc, but the backend would assume that that meant 
    > postgres@template1 -- no namespace collision, and the special case is that 
    > anyone@template1 has the behavior the unadorned plain user now has.
    
    The trouble with that scheme is that there is zero interoperability
    between the plain-vanilla mode (postgres is postgres in pg_shadow) and
    the @-mode (postgres is postgres@template1 in pg_shadow).  Flip the
    configuration switch, in either direction, and you can't log in anymore.
    We'd almost have to make it a frozen-at-initdb setting so that initdb
    would know which form to put into pg_shadow for the superuser, and so
    that entry wouldn't break thereafter.
    
    The reason I like the "lowen" vs "lowen@somedb" pattern is that
    database-global users can log in the same way whether the feature is
    turned on or not; this eliminates the getting-started problem, as well
    as the likelihood of shooting yourself in the foot.
    
    It is true that if you have a global user lowen you'd want to avoid
    creating any local users lowen@somedb, and that the existing code
    wouldn't be able to enforce that.  We could possibly add a few lines
    to CREATE USER to warn about this mistake.  (It should be a warning not
    an error, since if you have no intention of ever using the @-feature
    then there's no reason to restrict your choice of usernames.)
    
    			regards, tom lane
    
    
  92. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-14T22:02:58Z

    Bruce Momjian writes:
    
    > OK, what I didn't want to do we to over-complexify
    
    That's reasonable, but not when you break other things along the way that
    were themselves meant to decomplexify things.
    
    > something that is for only a few users.
    
    If it's only for a few users, please send private patches to them.  Face
    it, it's not going to happen.  It's going to be in the release notes,
    everyone's going to see it, and there's going to be a Slashdot thread
    about how "they" broke the password files.  So let's design a feature for
    everyone.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  93. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T22:28:26Z

    OK, I have a new idea.  Seems most don't like that 'postgres' is a
    special user in this context.
    
    How about if we just document that they have to create a
    postgres@template1 user before flipping the switch.  That way, there is
    no special user, no PG_INSTALLER file, and no double-tests for user
    names.
    
    It doesn't give us a global user, but frankly, it seems that such a
    system is never going to work reliably.
    
    Trying to prevent namespace conflicts by checking for users without @
    that may match will make @ a special character in the user namespace,
    and people won't like that.
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > Lamar Owen <lamar.owen@wgcr.org> writes:
    > > So the former plain 'postgres' user could still be such to us, to client 
    > > programs, etc, but the backend would assume that that meant 
    > > postgres@template1 -- no namespace collision, and the special case is that 
    > > anyone@template1 has the behavior the unadorned plain user now has.
    > 
    > The trouble with that scheme is that there is zero interoperability
    > between the plain-vanilla mode (postgres is postgres in pg_shadow) and
    > the @-mode (postgres is postgres@template1 in pg_shadow).  Flip the
    > configuration switch, in either direction, and you can't log in anymore.
    > We'd almost have to make it a frozen-at-initdb setting so that initdb
    > would know which form to put into pg_shadow for the superuser, and so
    > that entry wouldn't break thereafter.
    > 
    > The reason I like the "lowen" vs "lowen@somedb" pattern is that
    > database-global users can log in the same way whether the feature is
    > turned on or not; this eliminates the getting-started problem, as well
    > as the likelihood of shooting yourself in the foot.
    > 
    > It is true that if you have a global user lowen you'd want to avoid
    > creating any local users lowen@somedb, and that the existing code
    > wouldn't be able to enforce that.  We could possibly add a few lines
    > to CREATE USER to warn about this mistake.  (It should be a warning not
    > an error, since if you have no intention of ever using the @-feature
    > then there's no reason to restrict your choice of usernames.)
    > 
    > 			regards, tom lane
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 4: Don't 'kill -9' the postmaster
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  94. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T22:56:26Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > How about if we just document that they have to create a
    > postgres@template1 user before flipping the switch.  That way, there is
    > no special user, no PG_INSTALLER file, and no double-tests for user
    > names.
    
    ... and no useful superuser account; if you can't connect to anything
    except template1 then you ain't much of a superuser.
    
    To get around that you'd have to create postgres@db1, postgres@db2,
    postgres@db3, etc etc.  This would be a huge pain in the neck; I think
    it'd render the scheme impractical.  (Keep in mind that anybody who'd be
    interested in this feature at all has probably got quite a number of
    databases to contend with.)
    
    			regards, tom lane
    
    
  95. Re: Open 7.3 items

    Nigel J. Andrews <nandrews@investsystems.co.uk> — 2002-08-14T23:30:05Z

    On Wed, 14 Aug 2002, Tom Lane wrote:
    
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I have no personal preference between period and @ or whatever.  See if
    > > you can get some other votes for @ because most left @ when the ORDER BY
    > > idea came up from Marc.
    > 
    > FWIW, I still lean to username@database, so I think we're roughly at a
    > tie.  It would be good to get more votes ...
    
    Seeing as this is rumbling on I'll throw in my fraction of a vote.
    
    I too like the user@database form, partly because it 'reads'. On the other hand
    I can see the the reasons to like database.user and it does match the style of
    database.schema.object.
    
    Unfortunately for this second form, as '.' is a valid character in a database
    name then I can see this causing problems, especially with the behind the
    scenes combination of the two names. I don't see this problem with the '@' form
    because I can't see that character being used in a 'unqualified' user name.
    Hmmm...not sure that makes a terribly good arguement for my vote for 'user@db',
    is there a third choice for us confused folks to go for? A
    compromise: database@username ?
    
    
    [BTW, I did check and '@' seems to be a valid character in database and user
    names.]
    
    
    -- 
    Nigel J. Andrews
    Director
    
    ---
    Logictree Systems Limited
    Computer Consultants
    
    
    
  96. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-14T23:44:25Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > How about if we just document that they have to create a
    > > postgres@template1 user before flipping the switch.  That way, there is
    > > no special user, no PG_INSTALLER file, and no double-tests for user
    > > names.
    > 
    > ... and no useful superuser account; if you can't connect to anything
    > except template1 then you ain't much of a superuser.
    > 
    > To get around that you'd have to create postgres@db1, postgres@db2,
    > postgres@db3, etc etc.  This would be a huge pain in the neck; I think
    > it'd render the scheme impractical.  (Keep in mind that anybody who'd be
    > interested in this feature at all has probably got quite a number of
    > databases to contend with.)
    
    Yes, I hear you, but that brings us around full-circle to the original
    patch with one super-user who is the install user. 
    
    I don't know where else to go with the patch at this point.  I think
    increasing the number of 'global' users is polluting the namespace too
    much, and having none seems to be unappealing.  This is why I am back to
    just the install user.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  97. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-14T23:58:31Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > I don't know where else to go with the patch at this point.  I think
    > increasing the number of 'global' users is polluting the namespace too
    > much,
    
    Why?  If the installation needs N global users, then it needs N global
    users; who are you to make that value judgment for them?
    
    In practice I think an installation that's using this feature is going
    to have a pretty small number of global users, and so the issue of
    collisions with local usernames isn't really as big as it's been painted
    in this thread.  We could ignore that issue (except for documenting it)
    and have a perfectly serviceable feature.
    
    But I don't think it's a wise idea to design the thing in a way that
    makes it impossible to have more than one global user.
    
    If you don't like including all the pg_shadow entries in the flat file
    (though I really don't see any problem with that), could we replace
    PG_INSTALL with a pg_global_users config file that lists the global user
    names?  I think it would be good enough to let this be hand-maintained,
    with initdb initializing it to contain the install user's name.
    
    			regards, tom lane
    
    
  98. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-14T23:59:33Z

    On Wed, 14 Aug 2002, Bruce Momjian wrote:
    
    > Tom Lane wrote:
    > > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > > How about if we just document that they have to create a
    > > > postgres@template1 user before flipping the switch.  That way, there is
    > > > no special user, no PG_INSTALLER file, and no double-tests for user
    > > > names.
    > >
    > > ... and no useful superuser account; if you can't connect to anything
    > > except template1 then you ain't much of a superuser.
    > >
    > > To get around that you'd have to create postgres@db1, postgres@db2,
    > > postgres@db3, etc etc.  This would be a huge pain in the neck; I think
    > > it'd render the scheme impractical.  (Keep in mind that anybody who'd be
    > > interested in this feature at all has probably got quite a number of
    > > databases to contend with.)
    >
    > Yes, I hear you, but that brings us around full-circle to the original
    > patch with one super-user who is the install user.
    >
    > I don't know where else to go with the patch at this point.  I think
    > increasing the number of 'global' users is polluting the namespace too
    > much, and having none seems to be unappealing.  This is why I am back to
    > just the install user.
    
    I wouldn't be in favor of that.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  99. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T00:30:47Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > I don't know where else to go with the patch at this point.  I think
    > > increasing the number of 'global' users is polluting the namespace too
    > > much,
    > 
    > Why?  If the installation needs N global users, then it needs N global
    > users; who are you to make that value judgment for them?
    > 
    > In practice I think an installation that's using this feature is going
    > to have a pretty small number of global users, and so the issue of
    > collisions with local usernames isn't really as big as it's been painted
    > in this thread.  We could ignore that issue (except for documenting it)
    > and have a perfectly serviceable feature.
    
    The original idea was that Marc wanted people who could create their own
    users for their own databases.  If we make the creation of global users
    too easy, all of a sudden people don't have control over their db
    usernames because they have to avoid all the global user names already
    defined.  By adding multiple global users, it is diluting the usefulness
    of the feature.
    
    I suppose a pg_global_users file would be a compromise because only the
    admin could actually add people to that file.  If it was more automatic,
    like writing pg_shadow, someone could create a user without an @ and
    block access for other users to other database, which is bad.
    
    I still don't like the fact that people think they have control over
    their db namespace, when they really don't, but no one else seems to see
    that as a problem.  The namespace conflicts just yell of poor design.
    
    OK, I have another idea.  What if we make global users end with an @, so
    dave@ is a global user.  We can easily check for that in the postmaster
    and not append the dbname.  I know it makes @ a special character, but
    considering the problem of namespace collision, it seems better than
    what we have now.  We could add the install user too if we wish, or just
    tell them to make sure they add a user@ before turning on the feature.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  100. Re: Open 7.3 items

    ngpg@grymmjack.com — 2002-08-15T01:57:51Z

    pgman@candle.pha.pa.us (Bruce Momjian) wrote:
    > Tom Lane wrote:
    >> Bruce Momjian <pgman@candle.pha.pa.us> writes:
    >> > I don't know where else to go with the patch at this point.  I
    >> > think increasing the number of 'global' users is polluting the
    >> > namespace too much,
    >> 
    >> Why?  If the installation needs N global users, then it needs N
    >> global users; who are you to make that value judgment for them?
    >> 
    >> In practice I think an installation that's using this feature is
    >> going to have a pretty small number of global users, and so the issue
    >> of collisions with local usernames isn't really as big as it's been
    >> painted in this thread.  We could ignore that issue (except for
    >> documenting it) and have a perfectly serviceable feature.
    > 
    > The original idea was that Marc wanted people who could create their
    > own users for their own databases.  If we make the creation of global
    > users too easy, all of a sudden people don't have control over their
    > db usernames because they have to avoid all the global user names
    > already defined.  By adding multiple global users, it is diluting the
    > usefulness of the feature.
    > 
    
    Maybe I am missing something here but shouldnt db access really be part
    of the privileges system?  If all we are talking about is a quick hack
    until this can be implemented correctly, what is the concern with having
    so much functionality in the hack?  Why does it matter what the actual
    usernames can or cant be?  For example you could just make everyone with
    a username NNNNNN@dbname (where N's are int) local accounts and then
    leave everything else alone.  The only issue I could see with something
    like this would be that someone trying to use this hack wont be able to
    give their users names like pudgy@dbname, but who cares?  I mean if you
    are giving access to a bunch of developers, how is it going to affect
    them if you tell them to login with 123456@yourdb instead of
    jsmith@yourdb?  If they cant remember it or something maybe they can
    write it down?  I dunno... 
    
    
  101. Re: Open 7.3 items

    Joe Conway <mail@joeconway.com> — 2002-08-15T06:12:12Z

    Hannu Krosing wrote:
    > What about functions
    > 
    > 1. split(text,text,int) returns text
    > 
    > 2. split(text,text) returns text[]
    > 
    > and why not
    > 
    > 3. split(text,text,text) returns text
    > 
    > which returns text from $1 delimited by $2 and $3
    
    Given the time remaining before beta, I'll be happy just to get #1 done.
    
    I can see the utility of #2 (or perhaps even a table function which 
    breaks the string into individual rows). I'm not sure I understand #3.
    
    I am concerned about the name though -- only in that there are usually 
    objections raised to function names that are too likely to conflict with 
    user created function names. But "split" is good from the standpoint 
    that it is used in other languages, so people should find it familiar.
    
    Anyone have comments on the name?
    
    Joe
    
    
    
  102. Re: Open 7.3 items

    Mike Mascari <mascarm@mascari.com> — 2002-08-15T07:27:06Z

    Joe Conway wrote:
    > 
    > Hannu Krosing wrote:
    > > What about functions
    > >
    > > 1. split(text,text,int) returns text
    > >
    > > 2. split(text,text) returns text[]
    > >
    > > and why not
    > >
    > > 3. split(text,text,text) returns text
    > >
    > > which returns text from $1 delimited by $2 and $3
    > 
    > Given the time remaining before beta, I'll be happy just to get #1 done.
    > 
    > I can see the utility of #2 (or perhaps even a table function which
    > breaks the string into individual rows). I'm not sure I understand #3.
    > 
    > I am concerned about the name though -- only in that there are usually
    > objections raised to function names that are too likely to conflict with
    > user created function names. But "split" is good from the standpoint
    > that it is used in other languages, so people should find it familiar.
    > 
    > Anyone have comments on the name?
    
    Actually, I've been wondering if it wouldn't be a good idea with schemas
    coming to think now about how to divide up namespaces for all sorts of
    things, including PostgreSQL's built in functions, the contrib code,
    etc. I think a naming scheme with which both PostgreSQL and the
    community would comply, a la Java's reverse DNS scheme for namespaces
    would be neat. So when a database is installed, the following schemas
    are automatically created:
    
    org.postgresql.system <- System tables and core functions
    org.postgresql.text <- Text related functions
    org.postgresql.math <- Math related functions
    org.postgresql.fts <- Full-Text schema
    
    or perhaps:
    
    org.postgresql.contrib.fts <- Full-Text schema
    
    etc.
    
    I don't even know if "." is allowed in the schema names, but you get the
    idea. Then, a users search_path (or whatever it's called, I haven't used
    the development version in a while), would be the equivalent of Java's
    "import" statement, or C++'s "using" statement. So "split" would be a
    function in the org.postgresql.text schema.
    
    How about them apples?
    
    If this is an insane idea, its 3:32 A.M. my time ;-)
    
    Mike Mascari
    mascarm@mascari.com
    
    > 
    > Joe
    
    
  103. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-15T13:18:30Z

    Mike Mascari <mascarm@mascari.com> writes:
    > I don't even know if "." is allowed in the schema names,
    
    It isn't, and we couldn't invent such a scheme without seriously
    diverging from SQL compliance: the next naming level up from schemas is
    reserved for catalogs (think databases).  I don't know that we'll ever
    support cross-database access, but we shouldn't foreclose the
    possibility in pursuit of a naming scheme that doesn't really add very
    much value.
    
    You could possibly fake it with schema names like org_postgresql_foo,
    but I can't get very excited about that ...
    
    			regards, tom lane
    
    
  104. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T15:54:17Z

    OK, no one complained/commented on my idea of having global users have a
    trailing '@', so here is a patch that implements that.  It has the
    advantages of:
    
    	no special install user (create global user before enabling feature)
    	no /data/PG_INSTALLER file
    	allows multiple global users to be easily added
    	no namespace collisions because globals have a trailing @
    	easy for postmaster to recognize global users
    	no double-user lookups of pg_pwd changes
    	very small patch footprint
    
    The only downside is that it treats '@' as a special character when it
    is enabled, but frankly, because we are appending @dbname anyway, having
    '@' as a special character in that case makes sense.
    
    Comments?
    
    ---------------------------------------------------------------------------
    
    Bruce Momjian wrote:
    > Tom Lane wrote:
    > > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > > I don't know where else to go with the patch at this point.  I think
    > > > increasing the number of 'global' users is polluting the namespace too
    > > > much,
    > > 
    > > Why?  If the installation needs N global users, then it needs N global
    > > users; who are you to make that value judgment for them?
    > > 
    > > In practice I think an installation that's using this feature is going
    > > to have a pretty small number of global users, and so the issue of
    > > collisions with local usernames isn't really as big as it's been painted
    > > in this thread.  We could ignore that issue (except for documenting it)
    > > and have a perfectly serviceable feature.
    > 
    > The original idea was that Marc wanted people who could create their own
    > users for their own databases.  If we make the creation of global users
    > too easy, all of a sudden people don't have control over their db
    > usernames because they have to avoid all the global user names already
    > defined.  By adding multiple global users, it is diluting the usefulness
    > of the feature.
    > 
    > I suppose a pg_global_users file would be a compromise because only the
    > admin could actually add people to that file.  If it was more automatic,
    > like writing pg_shadow, someone could create a user without an @ and
    > block access for other users to other database, which is bad.
    > 
    > I still don't like the fact that people think they have control over
    > their db namespace, when they really don't, but no one else seems to see
    > that as a problem.  The namespace conflicts just yell of poor design.
    > 
    > OK, I have another idea.  What if we make global users end with an @, so
    > dave@ is a global user.  We can easily check for that in the postmaster
    > and not append the dbname.  I know it makes @ a special character, but
    > considering the problem of namespace collision, it seems better than
    > what we have now.  We could add the install user too if we wish, or just
    > tell them to make sure they add a user@ before turning on the feature.
    > 
    > -- 
    >   Bruce Momjian                        |  http://candle.pha.pa.us
    >   pgman@candle.pha.pa.us               |  (610) 359-1001
    >   +  If your life is a hard drive,     |  13 Roberts Road
    >   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 6: Have you searched our list archives?
    > 
    > http://archives.postgresql.org
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
  105. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T16:06:31Z

    On Thu, 15 Aug 2002, Bruce Momjian wrote:
    
    >
    > OK, no one complained/commented on my idea of having global users have a
    > trailing '@', so here is a patch that implements that.  It has the
    > advantages of:
    
    Probably because not everyone saw it.  I know I didn't.  This entire
    issue is growing more and more complex.  How about a configure item
    to not even compile it in?  Or better yet, a configure item to put
    it there with the default off.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  106. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T16:13:25Z

    Vince, you were in the CC, and it went to hackers:
    	
    	Message 772/835 Bruce Momjian                                           
    	                Aug 14, 2002 08:30:47 pm -0400
    	Subject: Re: [HACKERS] Open 7.3 items
    	To: Tom Lane <tgl@sss.pgh.pa.us>
    	Date: Wed, 14 Aug 2002 20:30:47 -0400 (EDT)
    	cc: Lamar Owen <lamar.owen@wgcr.org>, Vince Vielhaber <vev@michvhf.com>,
    	           PostgreSQL-development <pgsql-hackers@postgresql.org>
    	X-Virus-Scanned: by AMaViS new-20020517
    	Precedence: bulk
    	Sender: pgsql-hackers-owner@postgresql.org
    	X-Virus-Scanned: by AMaViS new-20020517
    
    ---------------------------------------------------------------------------
    
    Vince Vielhaber wrote:
    > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > 
    > >
    > > OK, no one complained/commented on my idea of having global users have a
    > > trailing '@', so here is a patch that implements that.  It has the
    > > advantages of:
    > 
    > Probably because not everyone saw it.  I know I didn't.  This entire
    > issue is growing more and more complex.  How about a configure item
    > to not even compile it in?  Or better yet, a configure item to put
    > it there with the default off.
    > 
    > Vince.
    > -- 
    > ==========================================================================
    > Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
    >          56K Nationwide Dialup from $16.00/mo at Pop4 Networking
    >       http://www.camping-usa.com      http://www.cloudninegifts.com
    >    http://www.meanstreamradio.com       http://www.unknown-artists.com
    > ==========================================================================
    > 
    > 
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  107. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T16:16:32Z

    Vince Vielhaber wrote:
    > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > 
    > >
    > > OK, no one complained/commented on my idea of having global users have a
    > > trailing '@', so here is a patch that implements that.  It has the
    > > advantages of:
    > 
    > Probably because not everyone saw it.  I know I didn't.  This entire
    > issue is growing more and more complex.  How about a configure item
    > to not even compile it in?  Or better yet, a configure item to put
    > it there with the default off.
    
    I think I am prety close, and I don't see a configure flag as any better
    than a GUC option that is off by default.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  108. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T16:34:40Z

    On Thu, 15 Aug 2002, Bruce Momjian wrote:
    
    >
    > Vince, you were in the CC, and it went to hackers:
    
    Oh, I'm not saying I didn't get it, I'm saying I didn't see it in
    the message.  It looked as if you were only replying to Tom so after
    reading the jist of it I moved on.  When you included it a little
    while ago I wondered what you were referring to so I read the whole
    thing more carefully and realized that I missed the end.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  109. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T16:38:45Z

    On Thu, 15 Aug 2002, Bruce Momjian wrote:
    
    > Vince Vielhaber wrote:
    > > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > >
    > > >
    > > > OK, no one complained/commented on my idea of having global users have a
    > > > trailing '@', so here is a patch that implements that.  It has the
    > > > advantages of:
    > >
    > > Probably because not everyone saw it.  I know I didn't.  This entire
    > > issue is growing more and more complex.  How about a configure item
    > > to not even compile it in?  Or better yet, a configure item to put
    > > it there with the default off.
    >
    > I think I am prety close, and I don't see a configure flag as any better
    > than a GUC option that is off by default.
    
    But how many people would even use it?  I can't see adding the bloat
    unnecessarily and risking it accidently being turned on.  Am I wrong
    and really alot of people actually want/need this?
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  110. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T16:41:10Z

    Vince Vielhaber wrote:
    > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > 
    > > Vince Vielhaber wrote:
    > > > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > > >
    > > > >
    > > > > OK, no one complained/commented on my idea of having global users have a
    > > > > trailing '@', so here is a patch that implements that.  It has the
    > > > > advantages of:
    > > >
    > > > Probably because not everyone saw it.  I know I didn't.  This entire
    > > > issue is growing more and more complex.  How about a configure item
    > > > to not even compile it in?  Or better yet, a configure item to put
    > > > it there with the default off.
    > >
    > > I think I am prety close, and I don't see a configure flag as any better
    > > than a GUC option that is off by default.
    > 
    > But how many people would even use it?  I can't see adding the bloat
    > unnecessarily and risking it accidently being turned on.  Am I wrong
    > and really alot of people actually want/need this?
    
    Well, the demand seems to be larger than I thought, considering the
    number of people who have chimed in and want certain features, like
    multiple global users.  I see this being using more by ISP's and
    universities that need better user/db partitioning.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  111. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T16:50:58Z

    On Thu, 15 Aug 2002, Bruce Momjian wrote:
    
    > Vince Vielhaber wrote:
    > > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > >
    > > > Vince Vielhaber wrote:
    > > > > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > > > >
    > > > > >
    > > > > > OK, no one complained/commented on my idea of having global users have a
    > > > > > trailing '@', so here is a patch that implements that.  It has the
    > > > > > advantages of:
    > > > >
    > > > > Probably because not everyone saw it.  I know I didn't.  This entire
    > > > > issue is growing more and more complex.  How about a configure item
    > > > > to not even compile it in?  Or better yet, a configure item to put
    > > > > it there with the default off.
    > > >
    > > > I think I am prety close, and I don't see a configure flag as any better
    > > > than a GUC option that is off by default.
    > >
    > > But how many people would even use it?  I can't see adding the bloat
    > > unnecessarily and risking it accidently being turned on.  Am I wrong
    > > and really alot of people actually want/need this?
    >
    > Well, the demand seems to be larger than I thought, considering the
    > number of people who have chimed in and want certain features, like
    > multiple global users.  I see this being using more by ISP's and
    > universities that need better user/db partitioning.
    
    I don't know that concern over a possible limited number of global
    users is directly proportional to the desire for the feature.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  112. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-15T16:56:49Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > + /* We append database name if db_user_namespace true. */
    > + #define SM_DATABASE_USER (SM_DATABASE+SM_USER)
    
    Is this calculation correct?  I'd think you'd need at least one more
    character to allow for the "@".  And I'm not sure about whether trailing
    nulls are or need to be counted.  There seem to be some places in your
    patch where things are dimensioned SM_DATABASE_USER and some where it's
    SM_DATABASE_USER+1; why the inconsistency, and which is right?
    
    Other than getting the array sizes right, it does look like a nice
    patch; very small, which is what I'd hoped for.  The notion of having to
    say "postgres@" still seems kinda ugly, but given the simplicity of the
    patch I'm willing to live with that.
    
    			regards, tom lane
    
    
  113. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T17:00:37Z

    On Thu, 15 Aug 2002, Tom Lane wrote:
    
    > Other than getting the array sizes right, it does look like a nice
    > patch; very small, which is what I'd hoped for.  The notion of having to
    > say "postgres@" still seems kinda ugly, but given the simplicity of the
    > patch I'm willing to live with that.
    
    Going from postgres to postgres@ ???  I don't care how simple the patch
    is, I'd rather it was configurable to keep it out completely.  That's
    not just ugly, that's coyote ugly!
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  114. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-15T17:04:16Z

    On Thursday 15 August 2002 11:54 am, Bruce Momjian wrote:
    > OK, no one complained/commented on my idea of having global users have a
    > trailing '@', so here is a patch that implements that.  It has the
    > advantages of:
    
    As it's substantially the same as user@template1, I am of course OK with it. 
    :-)  Easier to type than user@template1, too.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  115. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-15T17:07:34Z

    Vince Vielhaber <vev@michvhf.com> writes:
    > Going from postgres to postgres@ ???  I don't care how simple the patch
    > is, I'd rather it was configurable to keep it out completely.  That's
    > not just ugly, that's coyote ugly!
    
    Yeah, but it doesn't affect you unless you turn on the GUC parameter.
    Most people will never even know this code is there.
    
    			regards, tom lane
    
    
  116. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T17:13:52Z

    On Thu, 15 Aug 2002, Tom Lane wrote:
    
    > Vince Vielhaber <vev@michvhf.com> writes:
    > > Going from postgres to postgres@ ???  I don't care how simple the patch
    > > is, I'd rather it was configurable to keep it out completely.  That's
    > > not just ugly, that's coyote ugly!
    >
    > Yeah, but it doesn't affect you unless you turn on the GUC parameter.
    > Most people will never even know this code is there.
    
    But it doesn't need to affect anyone, even if it's enabled.  Isn't
    the lack of an @ just as good as an @ at the end of the username?
    Gets rid of the ugliness and won't break things if it's suddenly
    enabled.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  117. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-15T17:21:26Z

    Vince Vielhaber <vev@michvhf.com> writes:
    > But it doesn't need to affect anyone, even if it's enabled.  Isn't
    > the lack of an @ just as good as an @ at the end of the username?
    
    No, because there isn't any @ in the incoming connection request in the
    normal-user case: just a user name and a database name, which *we* have
    to assemble into user@database.
    
    We can't really expect the users to do this for us (give user@database
    as their full user name).  There are a number of reasons why I don't
    wanna do that, but the real showstopper is that the username field of
    the connection request packet is only 32 bytes wide, and we cannot
    enlarge it without a protocol breakage.  Fitting "user@database" in 32
    bytes would be awfully restrictive about your user and database names.
    
    			regards, tom lane
    
    
  118. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-15T17:43:01Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > + /* We append database name if db_user_namespace true. */
    > > + #define SM_DATABASE_USER (SM_DATABASE+SM_USER)
    > 
    > Is this calculation correct?  I'd think you'd need at least one more
    > character to allow for the "@".  And I'm not sure about whether trailing
    > nulls are or need to be counted.  There seem to be some places in your
    > patch where things are dimensioned SM_DATABASE_USER and some where it's
    > SM_DATABASE_USER+1; why the inconsistency, and which is right?
    
    Yes, there was some inconsistency.  The new patch fixes that up; 
    attached.
    
    > Other than getting the array sizes right, it does look like a nice
    > patch; very small, which is what I'd hoped for.  The notion of having to
    > say "postgres@" still seems kinda ugly, but given the simplicity of the
    > patch I'm willing to live with that.
    
    Glad we have something now everyone likes, or at least can live with.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
  119. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-15T18:10:24Z

    > But how many people would even use it?  I can't see adding the bloat
    > unnecessarily and risking it accidently being turned on.  Am I wrong
    > and really alot of people actually want/need this?
    
    At an absolute minimum there are two.  Myself and Marc.
    
    That said, this is a semi-required step to offerring Postgresql as a
    service to clients.  The refined permissions where a much more important
    step.
    
    So, take the number of people actively watching -hackers and use that as
    a percentage.
    
    
    
    
    
  120. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T18:30:34Z

    On Thu, 15 Aug 2002, Tom Lane wrote:
    
    > Vince Vielhaber <vev@michvhf.com> writes:
    > > But it doesn't need to affect anyone, even if it's enabled.  Isn't
    > > the lack of an @ just as good as an @ at the end of the username?
    >
    > No, because there isn't any @ in the incoming connection request in the
    > normal-user case: just a user name and a database name, which *we* have
    > to assemble into user@database.
    >
    > We can't really expect the users to do this for us (give user@database
    > as their full user name).  There are a number of reasons why I don't
    > wanna do that, but the real showstopper is that the username field of
    > the connection request packet is only 32 bytes wide, and we cannot
    > enlarge it without a protocol breakage.  Fitting "user@database" in 32
    > bytes would be awfully restrictive about your user and database names.
    
    Ok, I misunderstood.  I thought it was the user going to have to type
    that in based on some of yesterday's comments.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  121. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-15T19:30:45Z

    Bruce Momjian writes:
    
    > OK, I have another idea.  What if we make global users end with an @, so
    > dave@ is a global user.  We can easily check for that in the postmaster
    > and not append the dbname.  I know it makes @ a special character, but
    > considering the problem of namespace collision, it seems better than
    > what we have now.  We could add the install user too if we wish, or just
    > tell them to make sure they add a user@ before turning on the feature.
    
    I don't like where this is going.  The original plan was to create a
    feature that was simple and transparent.  Now we have a feature that might
    be simple to implement, but is neither simple to understand nor
    transparent.  Instead it uglifies the common interfaces.
    
    I don't see what the problem is of dumping out the entire content of
    pg_shadow into a flat file.  First you look for a non-@ user, then you
    look for an @ user that matches the database.
    
    The interface should drive the implementation, not the other way around.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  122. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-15T19:51:46Z

    Peter Eisentraut <peter_e@gmx.net> writes:
    > I don't see what the problem is of dumping out the entire content of
    > pg_shadow into a flat file.  First you look for a non-@ user, then you
    > look for an @ user that matches the database.
    
    While I'd prefer that approach myself, the way Bruce is proposing does
    have a definite advantage: there is no problem with confusion between
    global users and database-local users of the same username.  "foo@" is
    global, "foo" is not.
    
    My own feeling is that the confusion argument is a weak one, and that
    not having to use "@" to log in as a global user would be worth having
    to avoid duplicating global and local names.  But I'm not sufficiently
    excited about it to volunteer to do the work ;-)
    
    			regards, tom lane
    
    
  123. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-15T20:04:24Z

    On Thu, 15 Aug 2002, Tom Lane wrote:
    
    > Peter Eisentraut <peter_e@gmx.net> writes:
    > > I don't see what the problem is of dumping out the entire content of
    > > pg_shadow into a flat file.  First you look for a non-@ user, then you
    > > look for an @ user that matches the database.
    >
    > While I'd prefer that approach myself, the way Bruce is proposing does
    > have a definite advantage: there is no problem with confusion between
    > global users and database-local users of the same username.  "foo@" is
    > global, "foo" is not.
    >
    > My own feeling is that the confusion argument is a weak one, and that
    > not having to use "@" to log in as a global user would be worth having
    > to avoid duplicating global and local names.  But I'm not sufficiently
    > excited about it to volunteer to do the work ;-)
    
    Here we go again.  I thought you just said that the @ wouldn't be
    something a user would have to do.  I understood that to be any user.
    It's back to ugly again.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  124. Re: Open 7.3 items

    ngpg@grymmjack.com — 2002-08-15T23:03:23Z

    vev@michvhf.com (Vince Vielhaber) wrote
    > Here we go again.  I thought you just said that the @ wouldn't be
    > something a user would have to do.  I understood that to be any user.
    > It's back to ugly again.
    > 
    > Vince.
    
    If it means anything to you, I agree that it should be a configure/compile 
    time option and not a GUC variable -- no, actually this whole thing should 
    just be distributed as diff in contrib and if someone wants it they could 
    patch it by hand, thats just as asinine as the current implemenation.
    
    What about actually incorporating this into the privileges system?
    
    
  125. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-16T01:12:02Z

    Tom Lane wrote:
    > Peter Eisentraut <peter_e@gmx.net> writes:
    > > I don't see what the problem is of dumping out the entire content of
    > > pg_shadow into a flat file.  First you look for a non-@ user, then you
    > > look for an @ user that matches the database.
    > 
    > While I'd prefer that approach myself, the way Bruce is proposing does
    > have a definite advantage: there is no problem with confusion between
    > global users and database-local users of the same username.  "foo@" is
    > global, "foo" is not.
    > 
    > My own feeling is that the confusion argument is a weak one, and that
    > not having to use "@" to log in as a global user would be worth having
    > to avoid duplicating global and local names.  But I'm not sufficiently
    > excited about it to volunteer to do the work ;-)
    
    If we don't suffix global users with '@', a global user named 'dave'
    could not attach to a database called 'db1' as himself if a user called
    'dave@db1' existed. If you have a super-user, who you want to be able to
    connect to any database, the creation of that name in any database would
    block the superuser from connecting as themselves.  That is the
    confusion I want to avoid.  
    
    I have seen some negative reactions to the feature.  I am willing to ask
    for a vote, if that is what people want.  If not, I will apply the patch
    in the next day or two.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  126. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-16T01:14:42Z

    > I have seen some negative reactions to the feature.  I am willing to ask
    > for a vote, if that is what people want.  If not, I will apply the patch
    > in the next day or two.
    
    Please apply.
    
    
    
  127. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T02:20:14Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > If we don't suffix global users with '@', a global user named 'dave'
    > could not attach to a database called 'db1' as himself if a user called
    > 'dave@db1' existed.
    
    No, it's the other way around (assuming you check user before user@db):
    the existence of a global user would prevent similarly-named local users
    from connecting.  This does not strike me as too terrible, assuming that
    there are not very many global users.
    
    			regards, tom lane
    
    
  128. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-16T04:10:54Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > If we don't suffix global users with '@', a global user named 'dave'
    > > could not attach to a database called 'db1' as himself if a user called
    > > 'dave@db1' existed.
    > 
    > No, it's the other way around (assuming you check user before user@db):
    > the existence of a global user would prevent similarly-named local users
    > from connecting.  This does not strike me as too terrible, assuming that
    > there are not very many global users.
    
    Yes, something like that.  It could go either way.  I never actually
    coded the double checking.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  129. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-16T09:21:45Z

    On Thu, 15 Aug 2002, Bruce Momjian wrote:
    
    > I have seen some negative reactions to the feature.  I am willing to ask
    > for a vote, if that is what people want.  If not, I will apply the patch
    > in the next day or two.
    
    So are you calling for a vote or just willing to ask for one?  I vote for
    putting it in contrib and letting whoever wants it apply it and use it.
    The more we discuss it the worse it looks.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  130. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T13:47:44Z

    Vince Vielhaber <vev@michvhf.com> writes:
    > So are you calling for a vote or just willing to ask for one?  I vote for
    > putting it in contrib and letting whoever wants it apply it and use it.
    
    The trouble with putting it in contrib is that that makes it effectively
    unavailable to anyone who installs from RPMs, or otherwise doesn't build
    from source for themselves.  Putting a patch diff in contrib is a bad
    idea anyway since the patch will suffer bit-rot in no time, as the
    referenced files change.
    
    Since the patch is small and doesn't change behavior or performance if
    you don't enable the feature, I don't think there's a good reason to
    push it off to contrib just because it's ugly.
    
    > The more we discuss it the worse it looks.
    
    I still like the other way better --- but I'm still not prepared to do
    the legwork to make it happen, so I have to defer to whatever Bruce is
    willing to implement.
    
    			regards, tom lane
    
    
  131. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-16T14:21:12Z

    On Fri, 16 Aug 2002, Tom Lane wrote:
    
    > Vince Vielhaber <vev@michvhf.com> writes:
    > > So are you calling for a vote or just willing to ask for one?  I vote for
    > > putting it in contrib and letting whoever wants it apply it and use it.
    >
    > The trouble with putting it in contrib is that that makes it effectively
    > unavailable to anyone who installs from RPMs, or otherwise doesn't build
    > from source for themselves.  Putting a patch diff in contrib is a bad
    > idea anyway since the patch will suffer bit-rot in no time, as the
    > referenced files change.
    
    RPMs aren't a good enough reason to put it in.  All features aren't
    installed in an RPM, why would this need to?   Besides, anything that
    is runtime configurable can end up getting its default changed on a
    whim.  Then again as long as 7.2.1 is stable enough for me there's
    no reason to upgrade 'cuze I damn sure ain't going back and changing
    all sorts of programs and scripts that have global users.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  132. Re: Open 7.3 items

    Lee Kindness <lkindness@csl.co.uk> — 2002-08-16T14:40:15Z

    Vince Vielhaber writes:
     > [ 'user@' patch ]
     > whim.  Then again as long as 7.2.1 is stable enough for me there's
     > no reason to upgrade 'cuze I damn sure ain't going back and changing
     > all sorts of programs and scripts that have global users.
    
    Having read bits and pieces of this thread, can those in favour
    confirm that this would be an effect of this patch? If so I fail to
    see the usefulness of this and indeed it would be very harmful to
    existing installations! All use of PostgreSQL utilities in scripts for
    our product always do a '-U sprint' to use a global user, this aids
    our internal development and makes installation notes for clients
    easier...
    
    Also what effect would adding significance to '@' in the context of
    usernames have, if any, on the current use of it as a database/host
    separator (in ECPG, certainly would be useful in the utilities too)?
    
    Thanks, Lee.
    
    
  133. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T14:48:42Z

    Lee Kindness <lkindness@csl.co.uk> writes:
    > Vince Vielhaber writes:
    >>> [ 'user@' patch ]
    >>> whim.  Then again as long as 7.2.1 is stable enough for me there's
    >>> no reason to upgrade 'cuze I damn sure ain't going back and changing
    >>> all sorts of programs and scripts that have global users.
    
    > Having read bits and pieces of this thread, can those in favour
    > confirm that this would be an effect of this patch?
    
    I think Vince is talking through his hat.  The proposed flag wouldn't
    ever be enabled by default.  If someone did turn it on in their
    installation "on a whim", they'd soon turn it off again if they didn't
    like the effects.  I do not see much difference between the above
    argument and arguing "we shouldn't have i18n support, because if I
    turned it on on a whim I wouldn't be able to read my error messages".
    
    Once again: *no one* has at any time suggested that any form of this
    patch should affect the default behavior in the slightest.
    
    > Also what effect would adding significance to '@' in the context of
    > usernames have, if any, on the current use of it as a database/host
    > separator (in ECPG, certainly would be useful in the utilities too)?
    
    Well, I don't see any difficulty there, but if you are aware of a
    context where it'd be a problem, point it out!
    
    			regards, tom lane
    
    
  134. Re: Open 7.3 items

    Ross Reedstrom <reedstrm@rice.edu> — 2002-08-16T14:51:15Z

    On Fri, Aug 16, 2002 at 10:21:12AM -0400, Vince Vielhaber wrote:
     
    > RPMs aren't a good enough reason to put it in.  All features aren't
    > installed in an RPM, why would this need to?   Besides, anything that
    > is runtime configurable can end up getting its default changed on a
    > whim.  Then again as long as 7.2.1 is stable enough for me there's
    > no reason to upgrade 'cuze I damn sure ain't going back and changing
    > all sorts of programs and scripts that have global users.
     
    So, Vince, do you have problems with the various GUC based optimizer
    hooks getting set to other than the default? I'd think you'd notice 
    if suddenly indexscans all went away, or any of these:
    
    #enable_seqscan = true
    #enable_indexscan = true
    #enable_tidscan = true
    #enable_sort = true
    #enable_nestloop = true
    #enable_mergejoin = true
    #enable_hashjoin = true
    
    My point is that your resistance to a GUC controlled runtime configurable
    on the basis of 'it might get changed accidently' makes little sense to
    me, given all the other runtime config settings that never do get changed.
    What makes you think this one will be more susceptible to accidental
    flipping?
    
    I'm not sure who's 'whim' it is that your afraid of: perhaps you have a
    paticularly sadistic DBA to deal with? ;-) And of course, this being 
    free software and all, noone is forcing an upgrade on you.
    
    Ross
    
    
  135. Re: Open 7.3 items

    Larry Rosenman <ler@lerctr.org> — 2002-08-16T15:09:46Z

    On Fri, 2002-08-16 at 09:51, Ross J. Reedstrom wrote:
    > On Fri, Aug 16, 2002 at 10:21:12AM -0400, Vince Vielhaber wrote:
    >  
    > > RPMs aren't a good enough reason to put it in.  All features aren't
    > > installed in an RPM, why would this need to?   Besides, anything that
    > > is runtime configurable can end up getting its default changed on a
    > > whim.  Then again as long as 7.2.1 is stable enough for me there's
    > > no reason to upgrade 'cuze I damn sure ain't going back and changing
    > > all sorts of programs and scripts that have global users.
    >  
    > So, Vince, do you have problems with the various GUC based optimizer
    > hooks getting set to other than the default? I'd think you'd notice 
    > if suddenly indexscans all went away, or any of these:
    > 
    > #enable_seqscan = true
    > #enable_indexscan = true
    > #enable_tidscan = true
    > #enable_sort = true
    > #enable_nestloop = true
    > #enable_mergejoin = true
    > #enable_hashjoin = true
    > 
    > My point is that your resistance to a GUC controlled runtime configurable
    > on the basis of 'it might get changed accidently' makes little sense to
    > me, given all the other runtime config settings that never do get changed.
    > What makes you think this one will be more susceptible to accidental
    > flipping?
    > 
    > I'm not sure who's 'whim' it is that your afraid of: perhaps you have a
    > paticularly sadistic DBA to deal with? ;-) And of course, this being 
    > free software and all, noone is forcing an upgrade on you.
    AND, I thought the general consensus was **AWAY** from configure time
    directives and to GUC variables whenever **POSSIBLE**. 
    
    LER
    -- 
    Larry Rosenman                     http://www.lerctr.org/~ler
    Phone: +1 972-414-9812                 E-Mail: ler@lerctr.org
    US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
    
    
    
  136. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-16T15:45:36Z

    Vince Vielhaber wrote:
    > On Thu, 15 Aug 2002, Bruce Momjian wrote:
    > 
    > > I have seen some negative reactions to the feature.  I am willing to ask
    > > for a vote, if that is what people want.  If not, I will apply the patch
    > > in the next day or two.
    > 
    > So are you calling for a vote or just willing to ask for one?  I vote for
    > putting it in contrib and letting whoever wants it apply it and use it.
    > The more we discuss it the worse it looks.
    
    I can do a vote.  However, seeing many positive comments about the
    patch, and 1-2 negative ones (with no suggestion on how to improve it),
    I don't think the negative votes will win.
    
    I usually do a vote when the email comments are coming in kind of close.
    
    Specifically, in the thread, I have Vince and Peter as negative, and >7
    positive, I think.
    
    Look at the contraints I am under to implement what is effectively
    username schemas:
    
    	small patch, no bloat, because it isn't a core feature
    	multiple global users
    	no namespace collisions between global/non-global users
    	zero performance impact
    	32-byte user string coming from the client
    
    Specifically, what is ugly about it?  Is it that global users have an @
    at the end of their names?  How do we prevent namespace collisions
    _without_ doing this?  I am all ears.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  137. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T16:46:44Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > Specifically, what is ugly about it?  Is it that global users have an @
    > at the end of their names?  How do we prevent namespace collisions
    > _without_ doing this?  I am all ears.
    
    The folks who are unhappy about this design basically think that the
    namespace collisions issue should not be considered a vital requirement;
    whereupon you don't have to have the '@' because a search in the
    pg_shadow flat file would work well enough.
    
    It comes down to a judgment call about which is uglier, putting '@' on
    global usernames or having to avoid namespace collisions.
    
    At this point I think we've wasted more than enough time on the
    argument; I haven't seen any new ideas recently, nor any change in
    anyone's position.  Since no one seems to want to do the work to make a
    better implementation, I vote we accept the patch we have and move on.
    
    			regards, tom lane
    
    
  138. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-16T17:01:21Z

    On Fri, 16 Aug 2002, Tom Lane wrote:
    
    > Lee Kindness <lkindness@csl.co.uk> writes:
    > > Vince Vielhaber writes:
    > >>> [ 'user@' patch ]
    > >>> whim.  Then again as long as 7.2.1 is stable enough for me there's
    > >>> no reason to upgrade 'cuze I damn sure ain't going back and changing
    > >>> all sorts of programs and scripts that have global users.
    >
    > > Having read bits and pieces of this thread, can those in favour
    > > confirm that this would be an effect of this patch?
    >
    > I think Vince is talking through his hat.  The proposed flag wouldn't
    > ever be enabled by default.  If someone did turn it on in their
    > installation "on a whim", they'd soon turn it off again if they didn't
    > like the effects.  I do not see much difference between the above
    > argument and arguing "we shouldn't have i18n support, because if I
    > turned it on on a whim I wouldn't be able to read my error messages".
    >
    > Once again: *no one* has at any time suggested that any form of this
    > patch should affect the default behavior in the slightest.
    
    Not yet they haven't.  What happens when it's decided that this
    *feature* is a good thing and should be the default?   Maybe not
    now, but can you guarantee that that won't happen in say 7.4?  Or
    maybe 8.0?  I can hear it now, "Well we're giving you an entire
    version to change your scripts".
    
    There's not even a concensus that this is the right way to do it,
    you even said you'd prefer it was implemented in another way but
    don't have the time to do it.  Since when does this group rush to
    stuff features in without agreement even on HOW to implement it?
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  139. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-16T17:30:03Z

    Vince Vielhaber wrote:
    > > Once again: *no one* has at any time suggested that any form of this
    > > patch should affect the default behavior in the slightest.
    > 
    > Not yet they haven't.  What happens when it's decided that this
    > *feature* is a good thing and should be the default?   Maybe not
    > now, but can you guarantee that that won't happen in say 7.4?  Or
    > maybe 8.0?  I can hear it now, "Well we're giving you an entire
    > version to change your scripts".
    
    
    I can't argue hypothetical with you, but if we decided to make this a
    default behavior, we would probably push the functionality down into
    CREATE USER, create a new column in pg_shadow, lengthen the username
    passed from the client, and do it that way.  However, because it is not
    on by default _and_ we don't want to add visibility to a functionality
    that is off by default, we are doing it this way.
    
    Remember, non-local users already have an @ in their username.  I am
    just adding @ to the global users too. This functionality actually
    allows you to keep your old users in pg_shadow and once you turn on the
    feature, those users become unusable.  When you turn the feature off,
    they are back again.
    
    I know the trailing @ is ugly, but it prevents surpises when connecting
    to the database.
    
    > There's not even a consensus that this is the right way to do it,
    > you even said you'd prefer it was implemented in another way but
    > don't have the time to do it.  Since when does this group rush to
    > stuff features in without agreement even on HOW to implement it?
    
    This is an argument I don't want to bow to.  How many features have we
    left undone, for release after release, because we couldn't find a
    perfect way to do it, so we did nothing, and users went elsewhere for
    their database needs?   We have had enough discussion to know that there
    isn't a perfect solution in this case, so we are going to implement the
    best we can, and if we have to revisit it in 8.0, so be it.  I am sure
    you will still be around to help craft that solution.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  140. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-16T17:34:05Z

    On Fri, 16 Aug 2002, Ross J. Reedstrom wrote:
    
    > On Fri, Aug 16, 2002 at 10:21:12AM -0400, Vince Vielhaber wrote:
    >
    > > RPMs aren't a good enough reason to put it in.  All features aren't
    > > installed in an RPM, why would this need to?   Besides, anything that
    > > is runtime configurable can end up getting its default changed on a
    > > whim.  Then again as long as 7.2.1 is stable enough for me there's
    > > no reason to upgrade 'cuze I damn sure ain't going back and changing
    > > all sorts of programs and scripts that have global users.
    >
    > So, Vince, do you have problems with the various GUC based optimizer
    > hooks getting set to other than the default? I'd think you'd notice
    > if suddenly indexscans all went away, or any of these:
    >
    > #enable_seqscan = true
    > #enable_indexscan = true
    > #enable_tidscan = true
    > #enable_sort = true
    > #enable_nestloop = true
    > #enable_mergejoin = true
    > #enable_hashjoin = true
    >
    > My point is that your resistance to a GUC controlled runtime configurable
    > on the basis of 'it might get changed accidently' makes little sense to
    > me, given all the other runtime config settings that never do get changed.
    > What makes you think this one will be more susceptible to accidental
    > flipping?
    
    My point has nothing to do with resistance to GUC configurables.  Someone
    WILL decide that having it as a default is a *Good Thing* because it's
    there and is useful to them and in its current implementation there's not
    even a concensus that it's the right way to do it.  It's being rushed into
    this version unnecessarily.
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  141. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T18:17:25Z

    Vince Vielhaber <vev@michvhf.com> writes:
    > My point has nothing to do with resistance to GUC configurables.  Someone
    > WILL decide that having it as a default is a *Good Thing* because it's
    > there and is useful to them
    
    Which someone would this be?  There's no chance that such a proposal 
    would pass a pghackers vote, and certainly no chance that someone
    could commit such a change into CVS without everyone noticing.
    
    > and in its current implementation there's not
    > even a concensus that it's the right way to do it.  It's being rushed into
    > this version unnecessarily.
    
    It's being rushed into this version because we need a stopgap solution.
    I don't see it as anything but a stopgap.  The fact that it's a very
    small patch is good, because it can be replaced with minimal effort once
    someone has the time to design and implement a better mechanism for
    multi-database user management.  AFAICT a proper solution will involve
    considerable work, and I don't see it happening in time for 7.3.
    
    Also, ugly as this may be, it's still better than the old solution for
    people who are trying to support multiple similarly-named users in
    different databases.  The old hack required external password files
    which mean manual management, admin involvement in any password change,
    etc.  With this approach users can set their password normally even if
    they're being restricted to one database.  So realistically I think this
    does not affect people who aren't using it, and for people who do want
    to use it it's a step forward, even if not as far forward as we'd like.
    
    			regards, tom lane
    
    
  142. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-16T18:29:23Z

    BTW, I just thought of a small improvement to your patch that eliminates
    some of the ugliness.  Suppose that when we recognize an attempt to
    connect as a global user (ie, feature flag is on and last character of
    username is '@'), we strip off the '@' before proceeding.  Then we would
    have:
    	global users appear in pg_shadow as foo
    	local users appear in pg_shadow as foo@db
    and what this would mean is that you can flip between feature-enabled
    and feature-disabled states without breaking your global logins.  So you
    don't need the extra step of creating a "postgres@" before turning on
    the feature.  (Which was pretty ugly anyway, since even though postgres@
    could be made a superuser, he wouldn't be the same user as postgres ---
    this affects table ownership, for example, and would be a serious issue
    if you wanted any non-superuser global users.)
    
    I suppose some might argue that having to say postgres@ to log in,
    when your username is really just postgres as far as you can see in the
    database, is a tad confusing.  But the whole thing is an acknowledged
    wart anyway, and I think getting rid of the two problems mentioned above
    is worth it.
    
    Also, if we do this then it's important to strip a trailing '@' only
    if it's the *only* one in the given username.  Else a local user
    'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
    with requested database db2.  But I can't see any other security hole.
    
    			regards, tom lane
    
    
  143. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-16T19:03:20Z

    Tom Lane wrote:
    > BTW, I just thought of a small improvement to your patch that eliminates
    > some of the ugliness.  Suppose that when we recognize an attempt to
    > connect as a global user (ie, feature flag is on and last character of
    > username is '@'), we strip off the '@' before proceeding.  Then we would
    > have:
    > 	global users appear in pg_shadow as foo
    > 	local users appear in pg_shadow as foo@db
    > and what this would mean is that you can flip between feature-enabled
    > and feature-disabled states without breaking your global logins.  So you
    > don't need the extra step of creating a "postgres@" before turning on
    > the feature.  (Which was pretty ugly anyway, since even though postgres@
    > could be made a superuser, he wouldn't be the same user as postgres ---
    > this affects table ownership, for example, and would be a serious issue
    > if you wanted any non-superuser global users.)
    > 
    > I suppose some might argue that having to say postgres@ to log in,
    > when your username is really just postgres as far as you can see in the
    > database, is a tad confusing.  But the whole thing is an acknowledged
    > wart anyway, and I think getting rid of the two problems mentioned above
    > is worth it.
    
    Sure. If I can get one more 'yes' I will submit a new patch with the
    change.  It does prevent the namespace collision without mucking up
    pg_shadow.  We only need to tell people that global users need to supply
    their username to the client as user@.  Is that cleaner?
    
    > Also, if we do this then it's important to strip a trailing '@' only
    > if it's the *only* one in the given username.  Else a local user
    > 'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
    > with requested database db2.  But I can't see any other security hole.
    
    Ewe, I didn't think of that.  Good point.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  144. Re: Open 7.3 items

    Oliver Elphick <olly@lfix.co.uk> — 2002-08-16T19:31:01Z

    On Fri, 2002-08-16 at 20:03, Bruce Momjian wrote:
    > Sure. If I can get one more 'yes' I will submit a new patch with the
    > change.  It does prevent the namespace collision without mucking up
    > pg_shadow.  We only need to tell people that global users need to supply
    > their username to the client as user@.  Is that cleaner?
    
    I will vote yes for this change.  I think the flexibility this new
    system offers will make it much easier for people to offer PostgreSQL
    hosting facilities, of which I would like to see many more.
    
    -- 
    Oliver Elphick                                Oliver.Elphick@lfix.co.uk
    Isle of Wight, UK                            
    http://www.lfix.co.uk/oliver
    GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                     ========================================
         "And whatsoever ye shall ask in my name, that will I 
          do, that the Father may be glorified in the Son."     
                                              John 14:13 
    
    
    
  145. Re: Open 7.3 items

    ngpg@grymmjack.com — 2002-08-17T00:40:32Z

    pgman@candle.pha.pa.us (Bruce Momjian) wrote
    > 
    > I know the trailing @ is ugly, but it prevents surpises when connecting
    > to the database.
    > 
    
    if you would make the magic character a variable then perhaps you could 
    prevent the ugly...  if/when you turn off the feature, you could set the 
    PGSQL_STUPID_MAGIC_CHARACTER to '', then you would be appending an empty 
    string instead of a @, when you want to turn it back on, set the variable 
    back to '@'... and if you change the character, well dont..
    
    
  146. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-17T02:13:01Z

    ngpg@grymmjack.com wrote:
    > pgman@candle.pha.pa.us (Bruce Momjian) wrote
    > > 
    > > I know the trailing @ is ugly, but it prevents surpises when connecting
    > > to the database.
    > > 
    > 
    > if you would make the magic character a variable then perhaps you could 
    > prevent the ugly...  if/when you turn off the feature, you could set the 
    > PGSQL_STUPID_MAGIC_CHARACTER to '', then you would be appending an empty 
    > string instead of a @, when you want to turn it back on, set the variable 
    > back to '@'... and if you change the character, well dont..
    
    It already does that.  When it is off, it works just like it does in 7.2.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  147. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-17T04:16:14Z

    OK, here is the patch with the suggested changes.  I am sending the
    patch to hackers because there has been so much interest in this.
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > BTW, I just thought of a small improvement to your patch that eliminates
    > some of the ugliness.  Suppose that when we recognize an attempt to
    > connect as a global user (ie, feature flag is on and last character of
    > username is '@'), we strip off the '@' before proceeding.  Then we would
    > have:
    > 	global users appear in pg_shadow as foo
    > 	local users appear in pg_shadow as foo@db
    > and what this would mean is that you can flip between feature-enabled
    > and feature-disabled states without breaking your global logins.  So you
    > don't need the extra step of creating a "postgres@" before turning on
    > the feature.  (Which was pretty ugly anyway, since even though postgres@
    > could be made a superuser, he wouldn't be the same user as postgres ---
    > this affects table ownership, for example, and would be a serious issue
    > if you wanted any non-superuser global users.)
    > 
    > I suppose some might argue that having to say postgres@ to log in,
    > when your username is really just postgres as far as you can see in the
    > database, is a tad confusing.  But the whole thing is an acknowledged
    > wart anyway, and I think getting rid of the two problems mentioned above
    > is worth it.
    > 
    > Also, if we do this then it's important to strip a trailing '@' only
    > if it's the *only* one in the given username.  Else a local user
    > 'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
    > with requested database db2.  But I can't see any other security hole.
    > 
    > 			regards, tom lane
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
  148. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-17T04:17:13Z

    Sample run:
    	
    	$ psql -U postgres test
    	psql: FATAL:  user "postgres@test" does not exist
    
    	$ psql -U postgres@ test
    	Welcome to psql 7.3devel, the PostgreSQL interactive terminal.
    	
    	Type:  \copyright for distribution terms
    	       \h for help with SQL commands
    	       \? for help on internal slash commands
    	       \g or terminate with semicolon to execute query
    	       \q to quit
    	
    	test=> 
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > BTW, I just thought of a small improvement to your patch that eliminates
    > some of the ugliness.  Suppose that when we recognize an attempt to
    > connect as a global user (ie, feature flag is on and last character of
    > username is '@'), we strip off the '@' before proceeding.  Then we would
    > have:
    > 	global users appear in pg_shadow as foo
    > 	local users appear in pg_shadow as foo@db
    > and what this would mean is that you can flip between feature-enabled
    > and feature-disabled states without breaking your global logins.  So you
    > don't need the extra step of creating a "postgres@" before turning on
    > the feature.  (Which was pretty ugly anyway, since even though postgres@
    > could be made a superuser, he wouldn't be the same user as postgres ---
    > this affects table ownership, for example, and would be a serious issue
    > if you wanted any non-superuser global users.)
    > 
    > I suppose some might argue that having to say postgres@ to log in,
    > when your username is really just postgres as far as you can see in the
    > database, is a tad confusing.  But the whole thing is an acknowledged
    > wart anyway, and I think getting rid of the two problems mentioned above
    > is worth it.
    > 
    > Also, if we do this then it's important to strip a trailing '@' only
    > if it's the *only* one in the given username.  Else a local user
    > 'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
    > with requested database db2.  But I can't see any other security hole.
    > 
    > 			regards, tom lane
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  149. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-17T16:26:44Z

    OK, I think we are doing this backwards.  Instead of adding '@' to
    global users, and then removing it in the backend, why don't we have
    local users end with '@', that way, global users continue to connect
    just as they have before, and local users connect with @, so dave@db1
    connects as 'dave@' and if he has other database access, he can use the
    same 'dave@' name.
    
    That removes some of the uglification, I think.
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > BTW, I just thought of a small improvement to your patch that eliminates
    > some of the ugliness.  Suppose that when we recognize an attempt to
    > connect as a global user (ie, feature flag is on and last character of
    > username is '@'), we strip off the '@' before proceeding.  Then we would
    > have:
    > 	global users appear in pg_shadow as foo
    > 	local users appear in pg_shadow as foo@db
    > and what this would mean is that you can flip between feature-enabled
    > and feature-disabled states without breaking your global logins.  So you
    > don't need the extra step of creating a "postgres@" before turning on
    > the feature.  (Which was pretty ugly anyway, since even though postgres@
    > could be made a superuser, he wouldn't be the same user as postgres ---
    > this affects table ownership, for example, and would be a serious issue
    > if you wanted any non-superuser global users.)
    > 
    > I suppose some might argue that having to say postgres@ to log in,
    > when your username is really just postgres as far as you can see in the
    > database, is a tad confusing.  But the whole thing is an acknowledged
    > wart anyway, and I think getting rid of the two problems mentioned above
    > is worth it.
    > 
    > Also, if we do this then it's important to strip a trailing '@' only
    > if it's the *only* one in the given username.  Else a local user
    > 'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
    > with requested database db2.  But I can't see any other security hole.
    > 
    > 			regards, tom lane
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  150. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-17T16:47:43Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > OK, I think we are doing this backwards.  Instead of adding '@' to
    > global users, and then removing it in the backend, why don't we have
    > local users end with '@', that way, global users continue to connect
    > just as they have before, and local users connect with @, so dave@db1
    > connects as 'dave@' and if he has other database access, he can use the
    > same 'dave@' name.
    
    No, *that* would be backwards.  In installations that are using this
    feature, the vast majority of the users are going to be local ones.
    And the global users will be the presumably-more-sophisticated admins.
    Putting the onus of the '@' decoration on the local users instead of
    the global ones is exactly the wrong way to go.
    
    			regards, tom lane
    
    
  151. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-17T23:41:13Z

    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > OK, I think we are doing this backwards.  Instead of adding '@' to
    > > global users, and then removing it in the backend, why don't we have
    > > local users end with '@', that way, global users continue to connect
    > > just as they have before, and local users connect with @, so dave@db1
    > > connects as 'dave@' and if he has other database access, he can use the
    > > same 'dave@' name.
    > 
    > No, *that* would be backwards.  In installations that are using this
    > feature, the vast majority of the users are going to be local ones.
    > And the global users will be the presumably-more-sophisticated admins.
    > Putting the onus of the '@' decoration on the local users instead of
    > the global ones is exactly the wrong way to go.
    
    OK, but it looks slightly less ugly.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  152. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-18T02:36:11Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > OK, here is the patch with the suggested changes.  I am sending the
    > patch to hackers because there has been so much interest in this.
    
    One minor gripe:
    
    > + 		/* If user@, it is a global user, remove '@' */
    > + 		if (strchr(port->user, '@') == port->user + strlen(port->user)-1)
    
    This code is correct, but it tempts someone to replace the strchr()
    with a single-character check on the last character of the string.
    Which would introduce the security hole we discussed before.  The
    code is okay, but *please* improve the comment to point out that you
    are also excluding the case where there are @'s to the left of the
    last character.
    
    			regards, tom lane
    
    
  153. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-18T03:04:02Z

    OK, applied, with that change.
    
    ---------------------------------------------------------------------------
    
    Tom Lane wrote:
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > OK, here is the patch with the suggested changes.  I am sending the
    > > patch to hackers because there has been so much interest in this.
    > 
    > One minor gripe:
    > 
    > > + 		/* If user@, it is a global user, remove '@' */
    > > + 		if (strchr(port->user, '@') == port->user + strlen(port->user)-1)
    > 
    > This code is correct, but it tempts someone to replace the strchr()
    > with a single-character check on the last character of the string.
    > Which would introduce the security hole we discussed before.  The
    > code is okay, but *please* improve the comment to point out that you
    > are also excluding the case where there are @'s to the left of the
    > last character.
    > 
    > 			regards, tom lane
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  154. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-18T09:37:20Z

    Tom Lane writes:
    
    > BTW, I just thought of a small improvement to your patch that eliminates
    > some of the ugliness.  Suppose that when we recognize an attempt to
    > connect as a global user (ie, feature flag is on and last character of
    > username is '@'), we strip off the '@' before proceeding.
    
    I'm missing how hard it is to change "last character of username is @" to
    "no @ in username".  This would seem to be a two-line change somewhere.
    
    I'm concerned that we leave essentially no migration path, that is, the
    ability to turn the feature on to try it out without immediately breaking
    every application.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  155. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-18T16:55:41Z

    Peter Eisentraut <peter_e@gmx.net> writes:
    > I'm concerned that we leave essentially no migration path, that is, the
    > ability to turn the feature on to try it out without immediately breaking
    > every application.
    
    Uh ... what?  I fail to understand your objection.  AFAICS the only
    apps that could be "broken" are scripts that have usernames hardwired
    into them ...
    
    			regards, tom lane
    
    
  156. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-18T17:10:12Z

    On Sat, 17 Aug 2002, Bruce Momjian wrote:
    
    >
    > OK, I think we are doing this backwards.  Instead of adding '@' to
    > global users, and then removing it in the backend, why don't we have
    > local users end with '@', that way, global users continue to connect
    > just as they have before, and local users connect with @, so dave@db1
    > connects as 'dave@' and if he has other database access, he can use the
    > same 'dave@' name.
    >
    > That removes some of the uglification, I think.
    
    Then why was it when I mentioned global users not having the @ you shot
    it down as not possible?
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  157. Re: Open 7.3 items

    Vince Vielhaber <vev@michvhf.com> — 2002-08-18T17:13:17Z

    On Sat, 17 Aug 2002, Tom Lane wrote:
    
    > Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > > OK, I think we are doing this backwards.  Instead of adding '@' to
    > > global users, and then removing it in the backend, why don't we have
    > > local users end with '@', that way, global users continue to connect
    > > just as they have before, and local users connect with @, so dave@db1
    > > connects as 'dave@' and if he has other database access, he can use the
    > > same 'dave@' name.
    >
    > No, *that* would be backwards.  In installations that are using this
    > feature, the vast majority of the users are going to be local ones.
    > And the global users will be the presumably-more-sophisticated admins.
    > Putting the onus of the '@' decoration on the local users instead of
    > the global ones is exactly the wrong way to go.
    
    Unsophisticated users is hardly a reason.  After all they do have an
    @ in their email address.  If they're told the username is foo@ then
    their username is foo@.  What's so difficult about that?
    
    Vince.
    -- 
    ==========================================================================
    Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net
             56K Nationwide Dialup from $16.00/mo at Pop4 Networking
          http://www.camping-usa.com      http://www.cloudninegifts.com
       http://www.meanstreamradio.com       http://www.unknown-artists.com
    ==========================================================================
    
    
    
    
    
  158. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-18T21:36:01Z

    Tom Lane writes:
    
    > Peter Eisentraut <peter_e@gmx.net> writes:
    > > I'm concerned that we leave essentially no migration path, that is, the
    > > ability to turn the feature on to try it out without immediately breaking
    > > every application.
    >
    > Uh ... what?  I fail to understand your objection.  AFAICS the only
    > apps that could be "broken" are scripts that have usernames hardwired
    > into them ...
    
    I'm completely lost between all the proposals about where the @ is going
    to be specified, added, or removed.  What happens on the client side and
    what happens on the server side?
    
    All I would like to see is that I can turn on this feature and nothing
    changes as long as I don't add any "local users".  Yes, that includes
    hard-wired user names on the client side.  Of course there are various
    degrees of hard-wiring, but what if the ISP admin updates to 7.3 and wants
    to turn on the feature for new clients?  Does he tell all his existing
    clients that they must update their user names?  Possibly, these users got
    their database access with a shell account and don't specify the user name
    at all because it defaults to the OS user name.  Does that continue to
    work?
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  159. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-18T22:08:15Z

    Peter Eisentraut <peter_e@gmx.net> writes:
    > I'm completely lost between all the proposals about where the @ is going
    > to be specified, added, or removed.  What happens on the client side and
    > what happens on the server side?
    
    Well, the way things stand as of CVS tip is that (assuming you have this
    feature turned on in postgresql.conf):
    
    * If a connection request has a username with a trailing '@' (and no
    embedded '@'), then the '@' is stripped and connection proceeds.
    
    * Otherwise, '@dbname' is appended to the given username and connection
    proceeds.
    
    So a "global" user foo has to say username="foo@" in his connection
    request, but he's just "foo" in pg_shadow.  A "local" user foo has to
    say "foo" in his connection request, and he's "foo@somedb" in pg_shadow.
    
    > All I would like to see is that I can turn on this feature and nothing
    > changes as long as I don't add any "local users".  Yes, that includes
    > hard-wired user names on the client side.
    
    Well, we could have that by inverting the use of '@'; but as I commented
    before, it makes more sense to me to make the global users say '@' than
    to make the local users do so, because I think in an installation that
    wants this feature there will be lots more local than global users.
    I really don't put that much weight on the compatibility argument you
    make --- not that I don't see your point, but that I don't think it
    outweighs convenience of day-to-day use after one has gotten the system
    set up.  (Also, compatibility cuts both ways: it seems just as likely
    to me that the clients with hardwired usernames are going to be ones
    you want to connect as local users, as that they are going to be ones
    you want to connect as global users.  Maybe more likely, if you grant
    the assumption that there will be more local than global users.)
    
    It might be worth recalling the reason that we are going through this
    pushup in the first place: Marc wants to be able to assign the same
    username to two different users who want to access two different
    databases.  If he would be happy with the answer "give them two
    different usernames", we'd not be having this discussion at all.
    Do you think he will be happy with the answer "you can give them
    the same username as long as it ends in '@'"?  I think it's highly
    unlikely that he'll be satisfied with that --- he wants to *not*
    have constraints on the names he gives out for local users.
    
    > Of course there are various
    > degrees of hard-wiring, but what if the ISP admin updates to 7.3 and wants
    > to turn on the feature for new clients?  Does he tell all his existing
    > clients that they must update their user names?  Possibly, these users got
    > their database access with a shell account and don't specify the user name
    > at all because it defaults to the OS user name.  Does that continue to
    > work?
    
    It works great if the ISP intends to make them all local users, which
    seems more likely to me than the other case.
    
    			regards, tom lane
    
    
  160. assigning to NULL?

    redmonde@purdue.edu — 2002-08-18T22:25:48Z

    I'm trying to make postGIS work with pg7.3devel. But a problem is occuring that did not appear in pg7.2. When I execute:
    
    ALTER TABLE geotest ADD CHECK ( geometrytype(geopoint)='POINT'
    OR NULL=geopoint);
    
    I get: "ERROR: copyObject: don't know how to copy node type 506"
    
    But when I execute:
    
    ALTER TABLE geotest ADD CHECK ( geometrytype(geopoint)='POINT');
    
    It works fine, which, due to the error message it seems that it is trying to assign rather to NULL, rather than compare (else what object needs to be copied in "NULL=geopoint"?). Is this a bug, a change in NULL, or a change in user defined datatypes?
    Thanks;
    Eric
    
    
  161. Re: assigning to NULL?

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-18T22:46:34Z

    redmonde@purdue.edu writes:
    > I get: "ERROR: copyObject: don't know how to copy node type 506"
    
    This is a bug in someone's recent patch ... but you don't want to say
    "NULL=geopoint" anyway, do you?  Surely it should be "geopoint IS NULL".
    
    			regards, tom lane
    
    
  162. Re: Open 7.3 items

    ngpg@grymmjack.com — 2002-08-19T00:01:02Z

    tgl@sss.pgh.pa.us (Tom Lane) wrote
    
    > * If a connection request has a username with a trailing '@' (and no
    > embedded '@'), then the '@' is stripped and connection proceeds.
    > 
    > * Otherwise, '@dbname' is appended to the given username and
    > connection proceeds.
    <snip>
    > It might be worth recalling the reason that we are going through this
    > pushup in the first place: Marc wants to be able to assign the same
    > username to two different users who want to access two different
    > databases.  If he would be happy with the answer "give them two
    > different usernames", we'd not be having this discussion at all.
    > Do you think he will be happy with the answer "you can give them
    > the same username as long as it ends in '@'"?  I think it's highly
    > unlikely that he'll be satisfied with that --- he wants to *not*
    > have constraints on the names he gives out for local users.
    
    
    What about usernames that have trailing or embedded @'s?  I mean you are 
    eseentially making the @ a magic character.  I admit I havent looked at 
    the source, but doesnt this method effectively put a constraint on the 
    use of @?  What if an isp, that could use this feature, already has 
    usernames with @'s in them (say a customers email address, etc)?  Will 
    they need to assign all new usernames to make this thing function?
    
    What if you want to give one person (one username) access to 2 db's?  
    Does that mean, under the current scheme, that the two accounts you 
    create can have the same username but have different passwords?  What if 
    you want to erase the "one" account (do you have to remember to erase all 
    n accounts you created with the same username, or all n except the ones 
    that were never mean to be the same person but share the same username)?
    
    Normally a user has a unique name.  Does anyone see a problem if/when the 
    whole db access thing becomes part of the privileges system?  If you 
    implement the "multiple users same username", then you'll have to 
    reassign all but one of the users to new usernames.
    
    
  163. Re: Open 7.3 items

    Lee Kindness <lkindness@csl.co.uk> — 2002-08-19T08:04:24Z

    I'd have thought that if a matching user couldn't be found in the
    specified database then it would default to searching through the
    global users? Would be more intuitive...
    
    Lee.
    
    Bruce Momjian writes:
     > Sample run:
     > 	$ psql -U postgres test
     > 	psql: FATAL:  user "postgres@test" does not exist
     > 
     > 	$ psql -U postgres@ test
     > 	Welcome to psql 7.3devel, the PostgreSQL interactive terminal.
    
    
  164. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-27T19:19:43Z

    I think we need to resolve this discussion from a week ago.  The current
    code is this:
    
    	global usernames are stored just like before, e.g. postgres
    	local users are stored as user@dbname
    	when connecting, global users add '@' to their names
    	when connecting, local users use just their user name, no @dbname
    
    Tom likes this because it is the fewer global users who have to append
    the '@'.
    
    Vince and Peter think that it should be local users adding '@' when
    connecting because:
    
    	they have an @ sign in their name anyway
    	global users should be able to connect unchanged
    
    I can foresee a time when we will have longer usernames, and local users
    will be able to connect with the full user@dbname, and we can allow
    user@ as a shortcut.
    
    In summary, I prefer to change the code to have local users append the
    '@'.
    
    Comments?  
    
    It is an easy change and prevents what is a very confusing situation
    where we add '@' for users who don't have @, and remove '@' for users
    who have it.
    
    ---------------------------------------------------------------------------
    
    Peter Eisentraut wrote:
    > Tom Lane writes:
    > 
    > > Peter Eisentraut <peter_e@gmx.net> writes:
    > > > I'm concerned that we leave essentially no migration path, that is, the
    > > > ability to turn the feature on to try it out without immediately breaking
    > > > every application.
    > >
    > > Uh ... what?  I fail to understand your objection.  AFAICS the only
    > > apps that could be "broken" are scripts that have usernames hardwired
    > > into them ...
    > 
    > I'm completely lost between all the proposals about where the @ is going
    > to be specified, added, or removed.  What happens on the client side and
    > what happens on the server side?
    > 
    > All I would like to see is that I can turn on this feature and nothing
    > changes as long as I don't add any "local users".  Yes, that includes
    > hard-wired user names on the client side.  Of course there are various
    > degrees of hard-wiring, but what if the ISP admin updates to 7.3 and wants
    > to turn on the feature for new clients?  Does he tell all his existing
    > clients that they must update their user names?  Possibly, these users got
    > their database access with a shell account and don't specify the user name
    > at all because it defaults to the OS user name.  Does that continue to
    > work?
    > 
    > -- 
    > Peter Eisentraut   peter_e@gmx.net
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  165. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-27T19:35:41Z

    On Tuesday 27 August 2002 03:19 pm, Bruce Momjian wrote:
    > I think we need to resolve this discussion from a week ago.  The current
    > code is this:
    
    I thought it WAS resolved, to do:
    
    > 	global usernames are stored just like before, e.g. postgres
    > 	local users are stored as user@dbname
    > 	when connecting, global users add '@' to their names
    > 	when connecting, local users use just their user name, no @dbname
    
    > Tom likes this because it is the fewer global users who have to append
    > the '@'.
    
    At least that was my perception of the uneasy consensus reached.
    
    Basically, this tags the @ as magic saying, during the client connect process, 
    'I'm GLOBAL, treat me differently'.  Now that I actually understand how this 
    is supposed to work, which your four lines above elucidate nicely, I am in 
    more agreement than I was that this is the right answer to this issue.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  166. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-27T19:43:02Z

    Lamar Owen wrote:
    > On Tuesday 27 August 2002 03:19 pm, Bruce Momjian wrote:
    > > I think we need to resolve this discussion from a week ago.  The current
    > > code is this:
    > 
    > I thought it WAS resolved, to do:
    > 
    > > 	global usernames are stored just like before, e.g. postgres
    > > 	local users are stored as user@dbname
    > > 	when connecting, global users add '@' to their names
    > > 	when connecting, local users use just their user name, no @dbname
    > 
    > > Tom likes this because it is the fewer global users who have to append
    > > the '@'.
    > 
    > At least that was my perception of the uneasy consensus reached.
    > 
    > Basically, this tags the @ as magic saying, during the client connect process, 
    > 'I'm GLOBAL, treat me differently'.  Now that I actually understand how this 
    > is supposed to work, which your four lines above elucidate nicely, I am in 
    > more agreement than I was that this is the right answer to this issue.
    
    OK, you have now split the vote because we have two for the change, and
    two against.  Why do you prefer to tag the globals?  Is it Tom's
    argument?  I think it is kind of strange to tag the globals when it is
    the locals who have @ in their username, and when they do:
    
    	$ psql -U dave test
    	Welcome to psql 7.3devel, the PostgreSQL interactive terminal.
    	
    	Type:  \copyright for distribution terms
    	       \h for help with SQL commands
    	       \? for help on internal slash commands
    	       \g or terminate with semicolon to execute query
    	       \q to quit
    	
    	test=> select current_user;
    	 current_user 
    	--------------
    	 dave@test
    	(1 row)
    
    they will see their full username.
    
    I can go either way.  I am just saying we need to hear from more people
    to make sure we are doing this properly.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  167. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T19:47:11Z

    Bruce Momjian <pgman@candle.pha.pa.us> writes:
    > I can go either way.  I am just saying we need to hear from more people
    > to make sure we are doing this properly.
    
    Likewise.  In particular I'd like to hear from Marc, who after all
    is the one who caused us to consider this hack in the first place.
    Does it satisfy his requirement?  Is one way or the other preferable
    for his actual usage?
    
    			regards, tom lane
    
    
  168. Re: Open 7.3 items

    Lamar Owen <lamar.owen@wgcr.org> — 2002-08-27T20:05:36Z

    On Tuesday 27 August 2002 03:43 pm, Bruce Momjian wrote:
    > Lamar Owen wrote:
    > > On Tuesday 27 August 2002 03:19 pm, Bruce Momjian wrote:
    > > I thought it WAS resolved, to do:
    
    > > > Tom likes this because it is the fewer global users who have to append
    > > > the '@'.
    
    > > At least that was my perception of the uneasy consensus reached.
    
    > OK, you have now split the vote because we have two for the change, and
    > two against.  Why do you prefer to tag the globals?  Is it Tom's
    > argument?  I think it is kind of strange to tag the globals when it is
    > the locals who have @ in their username, and when they do:
    
    I agree with what Tom said, and understand why he said it.  And I thought you 
    did, too -- I have apparently misunderstood (again!) the issue.
    
    In the local-enabled scheme, ISTM the majority of users will be local users.  
    The goal is transparent virtual databases -- at least that's what I consider 
    the goal.  As far as the user is concerned, the other databases might as well 
    not even exist -- all they are doing is connecting to their database.  Since 
    they have to give the database name as part of the connection, it just makes 
    sense that they should have the closest to default behavior.
    
    In the case of a virtual hosting postmaster, global users would likely be 
    DBA's, although they might not be.  These users are going to be the 
    exception, not the rule -- thus a character to tag their 'exceptional' 
    nature.
    
    You may not even want your virtual host local users to realize that there is 
    another user by that name.  Thus, the standard notation is the least 
    intrusive for the very users that need uninstrusive notation.
    -- 
    Lamar Owen
    WGCR Internet Radio
    1 Peter 4:11
    
    
  169. Re: Open 7.3 items

    Rod Taylor <rbt@zort.ca> — 2002-08-27T20:10:56Z

    It should also be noted that it's easy to get the DBAs to change their
    username in the future when / if the @ hack goes away BUT it will be
    difficult to change the usernames of the hundreds to thousands of
    customer accounts.
    
    For an upgrade, we'd end up making a script in the upgrade to keep them
    the same (with the @) then have a control panel code in place to suggest
    to the user that they may stop using the @ if they wish <click here>
    type of thing.
    
    
    > > > > Tom likes this because it is the fewer global users who have to append
    > > > > the '@'.
    > 
    > > > At least that was my perception of the uneasy consensus reached.
    > 
    > > OK, you have now split the vote because we have two for the change, and
    > > two against.  Why do you prefer to tag the globals?  Is it Tom's
    > > argument?  I think it is kind of strange to tag the globals when it is
    > > the locals who have @ in their username, and when they do:
    
    > In the case of a virtual hosting postmaster, global users would likely be 
    > DBA's, although they might not be.  These users are going to be the 
    > exception, not the rule -- thus a character to tag their 'exceptional' 
    > nature.
    
    
    
    
  170. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-27T20:19:47Z

    Lamar Owen wrote:
    > On Tuesday 27 August 2002 03:43 pm, Bruce Momjian wrote:
    > > Lamar Owen wrote:
    > > > On Tuesday 27 August 2002 03:19 pm, Bruce Momjian wrote:
    > > > I thought it WAS resolved, to do:
    > 
    > > > > Tom likes this because it is the fewer global users who have to append
    > > > > the '@'.
    > 
    > > > At least that was my perception of the uneasy consensus reached.
    > 
    > > OK, you have now split the vote because we have two for the change, and
    > > two against.  Why do you prefer to tag the globals?  Is it Tom's
    > > argument?  I think it is kind of strange to tag the globals when it is
    > > the locals who have @ in their username, and when they do:
    > 
    > I agree with what Tom said, and understand why he said it.  And I thought you 
    > did, too -- I have apparently misunderstood (again!) the issue.
    
    I try not to interject my opinions into emails where I am asking for
    disucsion so people can more clearly see the options and vote
    accordingly.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  171. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-27T20:20:40Z

    OK, we have enough votes to keep the existing behavior, unless Marc
    appears and says he doesn't like it.  ;-)
    
    Thanks.
    
    ---------------------------------------------------------------------------
    
    Rod Taylor wrote:
    > It should also be noted that it's easy to get the DBAs to change their
    > username in the future when / if the @ hack goes away BUT it will be
    > difficult to change the usernames of the hundreds to thousands of
    > customer accounts.
    > 
    > For an upgrade, we'd end up making a script in the upgrade to keep them
    > the same (with the @) then have a control panel code in place to suggest
    > to the user that they may stop using the @ if they wish <click here>
    > type of thing.
    > 
    > 
    > > > > > Tom likes this because it is the fewer global users who have to append
    > > > > > the '@'.
    > > 
    > > > > At least that was my perception of the uneasy consensus reached.
    > > 
    > > > OK, you have now split the vote because we have two for the change, and
    > > > two against.  Why do you prefer to tag the globals?  Is it Tom's
    > > > argument?  I think it is kind of strange to tag the globals when it is
    > > > the locals who have @ in their username, and when they do:
    > 
    > > In the case of a virtual hosting postmaster, global users would likely be 
    > > DBA's, although they might not be.  These users are going to be the 
    > > exception, not the rule -- thus a character to tag their 'exceptional' 
    > > nature.
    > 
    > 
    > 
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  172. Re: Open 7.3 items

    Oliver Elphick <olly@lfix.co.uk> — 2002-08-27T21:05:59Z

    On Tue, 2002-08-27 at 21:05, Lamar Owen wrote:
    > On Tuesday 27 August 2002 03:43 pm, Bruce Momjian wrote:
    > > Lamar Owen wrote:
    > > > On Tuesday 27 August 2002 03:19 pm, Bruce Momjian wrote:
    > > > I thought it WAS resolved, to do:
    > 
    > > > > Tom likes this because it is the fewer global users who have to append
    > > > > the '@'.
    > 
    > > > At least that was my perception of the uneasy consensus reached.
    > 
    > > OK, you have now split the vote because we have two for the change, and
    > > two against.  Why do you prefer to tag the globals?  Is it Tom's
    > > argument?  I think it is kind of strange to tag the globals when it is
    > > the locals who have @ in their username, and when they do:
    > 
    > I agree with what Tom said, and understand why he said it.  And I thought you 
    > did, too -- I have apparently misunderstood (again!) the issue.
    > 
    > In the local-enabled scheme, ISTM the majority of users will be local users.  
    > The goal is transparent virtual databases -- at least that's what I consider 
    > the goal.  As far as the user is concerned, the other databases might as well 
    > not even exist -- all they are doing is connecting to their database.  Since 
    > they have to give the database name as part of the connection, it just makes 
    > sense that they should have the closest to default behavior.
    > 
    > In the case of a virtual hosting postmaster, global users would likely be 
    > DBA's, although they might not be.  These users are going to be the 
    > exception, not the rule -- thus a character to tag their 'exceptional' 
    > nature.
    > 
    > You may not even want your virtual host local users to realize that there is 
    > another user by that name.  Thus, the standard notation is the least 
    > intrusive for the very users that need uninstrusive notation.
    
    Has this behaviour been carried through into GRANT and REVOKE?  If the
    object is transparency for local users, it should be possible in
    database "test" to say "GRANT ... TO fred" and have "fred" understood as
    "fred@test".
    
    If that is the case, then I will support the current position.
    
    
    It follows from the objective of transparency that, when reporting a
    user name, local users should be reported without the database suffix,
    i.e., "fred" not "fred@test".  Global users should be reported with the
    trailing "@".  This should cause no problem, because we have no
    cross-database communication; it should be impossible for "george@dummy"
    to have any connection with database "test".
    
    -- 
    Oliver Elphick                                Oliver.Elphick@lfix.co.uk
    Isle of Wight, UK                            
    http://www.lfix.co.uk/oliver
    GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                     ========================================
         "But the end of all things is at hand; be ye therefore 
          sober, and watch unto prayer. And above all things 
          have fervent love among yourselves; for love shall  
          cover the multitude of sins."      I Peter 4:7,8
    
    
    
  173. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-27T21:11:21Z

    Oliver Elphick wrote:
    > > I agree with what Tom said, and understand why he said it.  And I thought you 
    > > did, too -- I have apparently misunderstood (again!) the issue.
    > > 
    > > In the local-enabled scheme, ISTM the majority of users will be local users.  
    > > The goal is transparent virtual databases -- at least that's what I consider 
    > > the goal.  As far as the user is concerned, the other databases might as well 
    > > not even exist -- all they are doing is connecting to their database.  Since 
    > > they have to give the database name as part of the connection, it just makes 
    > > sense that they should have the closest to default behavior.
    > > 
    > > In the case of a virtual hosting postmaster, global users would likely be 
    > > DBA's, although they might not be.  These users are going to be the 
    > > exception, not the rule -- thus a character to tag their 'exceptional' 
    > > nature.
    > > 
    > > You may not even want your virtual host local users to realize that there is 
    > > another user by that name.  Thus, the standard notation is the least 
    > > intrusive for the very users that need uninstrusive notation.
    > 
    > Has this behaviour been carried through into GRANT and REVOKE?  If the
    > object is transparency for local users, it should be possible in
    > database "test" to say "GRANT ... TO fred" and have "fred" understood as
    > "fred@test".
    
    No changes have been made anywhere except for the username passed by the
    client.  All reporting of user names and all administration go by their
    full pg_shadow username, so global user dave@ is dave in pg_shadow, and
    dave is dave@db1 in pg_shadow.  One goal of this patch was a small
    footprint.
    
    > If that is the case, then I will support the current position.
    > 
    > 
    > It follows from the objective of transparency that, when reporting a
    > user name, local users should be reported without the database suffix,
    > i.e., "fred" not "fred@test".  Global users should be reported with the
    > trailing "@".  This should cause no problem, because we have no
    > cross-database communication; it should be impossible for "george@dummy"
    > to have any connection with database "test".
    
    Nope, none of this is done and I don't think there is a demand to do it.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  174. Re: Open 7.3 items

    Oliver Elphick <olly@lfix.co.uk> — 2002-08-27T21:33:35Z

    On Tue, 2002-08-27 at 22:11, Bruce Momjian wrote:
    > Oliver Elphick wrote:
    > > Has this behaviour been carried through into GRANT and REVOKE?  If the
    > > object is transparency for local users, it should be possible in
    > > database "test" to say "GRANT ... TO fred" and have "fred" understood as
    > > "fred@test".
    > 
    > No changes have been made anywhere except for the username passed by the
    > client.  All reporting of user names and all administration go by their
    > full pg_shadow username, so global user dave@ is dave in pg_shadow, and
    > dave is dave@db1 in pg_shadow.  One goal of this patch was a small
    > footprint.
    
    That is understandable, but it means that there is an inconsistency of
    usage for _every_ user.
    
    You connect as "postgres@" and "fred", but for all other purposes -
    CREATE USER, GRANT, REVOKE, CURRENT_USER, etc. you will be "postgres"
    and "fred@database".  This seems likely to cause users confusion, don't
    you think?  It also means that any applications which test usernames
    will have to be altered to strip off the "@database".
    
    So it seems to me that you have achieved a small footprint within the
    code, but potentially at the cost of a larger impact on users.
    
    -- 
    Oliver Elphick                                Oliver.Elphick@lfix.co.uk
    Isle of Wight, UK                            
    http://www.lfix.co.uk/oliver
    GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                     ========================================
         "But the end of all things is at hand; be ye therefore 
          sober, and watch unto prayer. And above all things 
          have fervent love among yourselves; for love shall  
          cover the multitude of sins."      I Peter 4:7,8
    
    
    
  175. Re: Open 7.3 items

    Peter Eisentraut <peter_e@gmx.net> — 2002-08-27T21:36:36Z

    Bruce Momjian writes:
    
    > 	global usernames are stored just like before, e.g. postgres
    > 	local users are stored as user@dbname
    > 	when connecting, global users add '@' to their names
    > 	when connecting, local users use just their user name, no @dbname
    
    I'm OK with this in principle.  But I must say I was quite confused
    because the "@" symbol appears in diametrically opposite contexts:
    
    a) designate local users on the server
    
    b) designate global users in the client
    
    Perhaps I might have been less confused if meaning (b) used a different
    character, say "username!".  This might be equally confusing to the next
    person -- just my observation.
    
    -- 
    Peter Eisentraut   peter_e@gmx.net
    
    
    
  176. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T21:44:41Z

    Oliver Elphick <olly@lfix.co.uk> writes:
    > So it seems to me that you have achieved a small footprint within the
    > code, but potentially at the cost of a larger impact on users.
    
    I don't think anyone will deny that this is a kluge.  However, we are
    not going to resurrect the separate-password-file thing (that was a
    worse kluge, especially when used for this purpose), and we are not
    going to postpone 7.3 while we think about a nicer solution.  So, simple
    is beautiful for now.  If there are enough people actually *using* this
    feature to make it worth improving, we can improve it ... later.
    
    			regards, tom lane
    
    
  177. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T21:46:38Z

    Peter Eisentraut <peter_e@gmx.net> writes:
    > Perhaps I might have been less confused if meaning (b) used a different
    > character, say "username!".
    
    Well, maybe ... but do we want to create two special characters in
    usernames, instead of one?  @ still has to be considered special in
    incoming usernames, else you have no security against local users
    connecting to other databases.
    
    			regards, tom lane
    
    
  178. Re: Open 7.3 items

    Oliver Elphick <olly@lfix.co.uk> — 2002-08-27T21:58:30Z

    On Tue, 2002-08-27 at 22:44, Tom Lane wrote:
    > Oliver Elphick <olly@lfix.co.uk> writes:
    > > So it seems to me that you have achieved a small footprint within the
    > > code, but potentially at the cost of a larger impact on users.
    > 
    > I don't think anyone will deny that this is a kluge.  However, we are
    > not going to resurrect the separate-password-file thing (that was a
    > worse kluge, especially when used for this purpose), and we are not
    > going to postpone 7.3 while we think about a nicer solution.  So, simple
    > is beautiful for now.  If there are enough people actually *using* this
    > feature to make it worth improving, we can improve it ... later.
    
    Could we then have a TODO item:
    
      * Make local and global user representation consistent throughout.
    
    -- 
    Oliver Elphick                                Oliver.Elphick@lfix.co.uk
    Isle of Wight, UK                            
    http://www.lfix.co.uk/oliver
    GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                     ========================================
         "But the end of all things is at hand; be ye therefore 
          sober, and watch unto prayer. And above all things 
          have fervent love among yourselves; for love shall  
          cover the multitude of sins."      I Peter 4:7,8
    
    
    
  179. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T22:10:27Z

    Oliver Elphick <olly@lfix.co.uk> writes:
    > This should cause no problem, because we have no
    > cross-database communication; it should be impossible for "george@dummy"
    > to have any connection with database "test".
    
    Not so; you need look no further than the owner column of pg_database
    to find a case where people can see usernames that might be local to
    other databases.  Group membership lists might well contain users
    from multiple databases, too.
    
    			regards, tom lane
    
    
  180. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-27T22:17:03Z

    Oliver Elphick <olly@lfix.co.uk> writes:
    > Could we then have a TODO item:
    >   * Make local and global user representation consistent throughout.
    
    That's hardly an appropriately expansive TODO item.  I prefer
    
        * Provide a real solution for database-local users
    
    ;-)
    
    			regards, tom lane
    
    
  181. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-28T01:07:04Z

    Tom Lane wrote:
    > Oliver Elphick <olly@lfix.co.uk> writes:
    > > Could we then have a TODO item:
    > >   * Make local and global user representation consistent throughout.
    > 
    > That's hardly an appropriately expansive TODO item.  I prefer
    > 
    >     * Provide a real solution for database-local users
    
    I say let's get it out in the field and see what people ask for.  For
    all we know, they may be very happy with this, nor not use it at all.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  182. Re: Open 7.3 items

    Bruce Momjian <pgman@candle.pha.pa.us> — 2002-08-28T01:08:01Z

    Peter Eisentraut wrote:
    > Bruce Momjian writes:
    > 
    > > 	global usernames are stored just like before, e.g. postgres
    > > 	local users are stored as user@dbname
    > > 	when connecting, global users add '@' to their names
    > > 	when connecting, local users use just their user name, no @dbname
    > 
    > I'm OK with this in principle.  But I must say I was quite confused
    > because the "@" symbol appears in diametrically opposite contexts:
    > 
    > a) designate local users on the server
    > 
    > b) designate global users in the client
    > 
    > Perhaps I might have been less confused if meaning (b) used a different
    > character, say "username!".  This might be equally confusing to the next
    > person -- just my observation.
    
    There is no question it is 100% confusing.  You are not alone.
    
    What keeps us from unconfusing it is the desire to make local usernames
    clean looking, I think.
    
    -- 
      Bruce Momjian                        |  http://candle.pha.pa.us
      pgman@candle.pha.pa.us               |  (610) 359-1001
      +  If your life is a hard drive,     |  13 Roberts Road
      +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
    
    
  183. Re: Open 7.3 items

    Oliver Elphick <olly@lfix.co.uk> — 2002-08-28T07:22:53Z

    On Tue, 2002-08-27 at 23:10, Tom Lane wrote: 
    > Oliver Elphick <olly@lfix.co.uk> writes:
    > > This should cause no problem, because we have no
    > > cross-database communication; it should be impossible for "george@dummy"
    > > to have any connection with database "test".
    > 
    > Not so; you need look no further than the owner column of pg_database
    > to find a case where people can see usernames that might be local to
    > other databases.  Group membership lists might well contain users
    > from multiple databases, too.
    
    I suspect I have a different view of the ultimate aim of this feature.
    
    If we go to a thorough solution for virtual local databases, local users
    of other databases ought to be completely invisible.  I suppose that
    means that to a local user, pg_database would be a view showing only
    template[01] and the local database. pg_shadow, too, would show only
    global users and local users in the same database.
    
    I can't see how a group within a local database could contain users from
    other databases.   In the context in which this is being used, each
    database belongs to a different customer; each database needs to be
    invisible to other customers.  How then should it be possible to have
    group lists containing users from different local databases?  Groups
    should be local as well as users.
    
    Perhaps I like complicating things too much...
    
    -- 
    Oliver Elphick                                Oliver.Elphick@lfix.co.uk
    Isle of Wight, UK                            
    http://www.lfix.co.uk/oliver
    GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                     ========================================
         "Use hospitality one to another without grudging."     
                                       I Peter 4:9 
    
    
    
  184. Re: Open 7.3 items

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-28T13:14:43Z

    Oliver Elphick <olly@lfix.co.uk> writes:
    > If we go to a thorough solution for virtual local databases, local users
    > of other databases ought to be completely invisible.
    
    Perhaps.  I'm not convinced of that, but it's a defensible position.
    
    > I can't see how a group within a local database could contain users from
    > other databases.
    
    This presupposes that groups become local to databases, which is not
    a foregone conclusion in my mind at all.  Perhaps we'll need to invent
    the concept of local and global groups, to go along with local and
    global users.
    
    Anyway, this is all designing far in advance of available use-cases.
    Marc was satisfying his needs (so far as he said, anyway) with a
    password-based scheme even klugier than what we're going to put in 7.3.
    We don't have other usage examples at all.  And with the availability
    of schemas in 7.3, I think that multiple databases per installation
    is going to become less common to begin with --- people will more often
    use multiple schemas in one big database if they want the option of
    data sharing, or completely separate installations if they want airtight
    separation.
    
    Accordingly, I'm disinclined to start actually inventing features in
    this area until I see more evidence that it's worth the trouble.
    
    			regards, tom lane