Re: [PATCH] Expose port->authn_id to extensions and triggers

Jacob Champion <pchampion@vmware.com>

From: Jacob Champion <pchampion@vmware.com>
To: "rjuju123@gmail.com" <rjuju123@gmail.com>, "peter.eisentraut@enterprisedb.com" <peter.eisentraut@enterprisedb.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, "michael@paquier.xyz" <michael@paquier.xyz>, "sfrost@snowman.net" <sfrost@snowman.net>
Date: 2022-03-03T19:12:11Z
Lists: pgsql-hackers
On Wed, 2022-03-02 at 09:18 +0100, Peter Eisentraut wrote:
> On 01.03.22 23:05, Jacob Champion wrote:
> > On Tue, 2022-03-01 at 19:56 +0100, Peter Eisentraut wrote:
> > > This patch contains no documentation.  I'm having a hard time
> > > understanding what the name "session_authn_id" is supposed to convey.
> > > The comment for the Port.authn_id field says this is the "system
> > > username", which sounds like a clearer terminology.
> > 
> > "System username" may help from an internal development perspective,
> > especially as it relates to pg_ident.conf, but I don't think that's
> > likely to be a useful descriptor to an end user. (I don't think of a
> > client certificate's Subject Distinguished Name as a "system
> > username".) Does my attempt in v5 help?
> 
> Yeah, maybe there are better names.  But I have no idea what the letter 
> combination "authn_id" is supposed to stand for.  Is it an 
> "authentication identifier"? What does it identify?

Authenticated identity, but yeah, that's the gist. ("AuthN" being a
standard-ish way to differentiate authentication from "AuthZ"
authorization.)

It's meant to uniquely identify the end user in the case of usermaps,
where multiple separate entities might log in using the same role. It
is distinct from the authorized role name, though they might be exactly
the same in many common setups. And it's not set at all if no
authentication was done.

> Maybe I'm missing something here, but I don't find it clear.

I just used the internal name, but if we want to make it more clear
then now would be a good time. Do you have any suggestions? Does
expanding the name (pg_session_authenticated_id, or even
pg_session_authenticated_identity) help?

--Jacob

Commits

  1. Remove initialization of MyClientConnectionInfo at backend startup

  2. Allow parallel workers to retrieve some data from Port