Re: [PoC] Delegating pg_ident to a third party - Mailing list pgsql-hackers

From Jacob Champion
Subject Re: [PoC] Delegating pg_ident to a third party
Date
Msg-id 0e0c038ab962c3f6dab00934fe5ae1ae115f44c0.camel@vmware.com
Whole thread Raw
In response to Re: [PoC] Delegating pg_ident to a third party  (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
Responses Re: [PoC] Delegating pg_ident to a third party
List pgsql-hackers
On Fri, 2021-12-17 at 10:06 +0100, Peter Eisentraut wrote:
> On 17.12.21 00:48, Jacob Champion wrote:
> > WDYT? (My responses here will be slower than usual. Hope you all have a
> > great end to the year!)
> 
> Looks interesting.  I wonder whether putting this into pg_ident.conf is 
> sensible.  I suspect people will want to eventually add more features 
> around this, like automatically creating roles or role memberships, at 
> which point pg_ident.conf doesn't seem appropriate anymore.

Yeah, pg_ident is getting too cramped for this.

> Should we have a new file for this?  Do you have any further ideas?

My experience with these configs is mostly limited to HTTP servers.
That said, it's pretty hard to beat the flexibility of arbitrary key-
value pairs inside nested contexts. It's nice to be able to say things
like

    Everyone has to use LDAP auth
    With this server
    And these TLS settings

    Except admins
        who additionally need client certificates
        with this CA root

    And Jacob
        who isn't allowed in anymore

Are there any existing discussions along these lines that I should take
a look at?

--Jacob

pgsql-hackers by date:

Previous
From: Andrey Borodin
Date:
Subject: Re: Index-only scans vs. partially-retrievable indexes
Next
From: tushar
Date:
Subject: Re: refactoring basebackup.c