Re: rolcanlogin vs. the flat password file - Mailing list pgsql-hackers

From Tom Lane
Subject Re: rolcanlogin vs. the flat password file
Date
Msg-id 14183.1192395763@sss.pgh.pa.us
Whole thread Raw
In response to Re: rolcanlogin vs. the flat password file  (Stephen Frost <sfrost@snowman.net>)
Responses Re: rolcanlogin vs. the flat password file
List pgsql-hackers
Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> ... I think what the OP wishes
>> is that "not permitted to log in" would be checked before checking
>> password validity, and to do that we'd have to add rolcanlogin
>> to the flat password file and put the check somewhere upstream of the
>> authentication process.

> I wonder if the OP was unhappy because he created a role w/ a pw and
> then couldn't figure out why the user couldn't log in?

Hm, maybe.  In that case just not filtering the entry out of the flat
file would be good enough.  In hindsight I'm not sure why we indulged
in that bit of complication anyway --- it seems unlikely that an
installation would have so many nologin roles, compared to regular ones,
that the increase in size of the flat file would be objectionable.

> In general, I would say that it's correct to say 'invalid
> authentication'/'bad pw' until the user is authenticated and then say
> 'not permitted to log in' if they're not authorized (don't have
> rolcanlogin), which is I think what we do.

That *would* be the behavior if we removed the filtering.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: rolcanlogin vs. the flat password file
Next
From: Tom Lane
Date:
Subject: Re: rolcanlogin vs. the flat password file