On Mon, Jun 04, 2001 at 12:29:08PM -0400, Tom Lane wrote:
> > i imagine it would be architectually difficult to have seperate user/group
> > tables per database.
>
> Codewise it would be trivial --- remove 'em from the list of shared
> relations. From the point of view of backwards compatibility, however,
> that's not likely to happen.
>
> If you want to restrict users to connect only to their own database,
> the 'sameuser' option in pg_hba.conf might be helpful.
my goal is a bit bigger than that.
at some point in the past, i posted a tweak that allowed one to have a
database authenticated similar to that of /bin/login.
ie. the client passes username/plain-text password, and that is authenticated
against crypto-gunge in the pg_shadow table.
(currently the authentication schemes seem to insist on storing plain-text
passwords in pg_shadow, which i just can't stomach).
(that tweak BTW was done in a completely reverse-compatability way)
with this tweak in place, i can then do PHP scripts which allow the webserver
to store the username/plain-textpass in session variables, and use them with
each call to the pgsql API.
this allows me to use the system catalogs for allowing/denying access to the
tables, without having to fake up some table with SELECT priv for user
"nobody" (or whatever the webserver is running as).
further to this, if i can have seperate pg_user/pg_shadow per database, then
i can have wholly seperate userbases for each database, rather than trying
to manage all my users in a single table.
--
[ Jim Mercer jim@reptiles.org +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]
