Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > I have been thinking about it and I think one file in data/global/
> > similar to pg_pwd will work.
>
> Yeah, if you model it on the pg_shadow trigger then at least it's no worse
> than it is now ;-). Note the checks that exist in the pg_shadow trigger
> to require usernames not to contain any characters that would break the
> file formatting; this will have to be done for groupnames now too.
Yes, got it.
> Also note that (if you plan to write user names and not just user IDs)
> an update of pg_shadow will need to force rewrite of the group file not
> only the shadow file.
Good point.
> Thinking about that, I wonder why not stick to just one file: extend the
> content of pg_pwd to include group membership info, and rewrite it when
> either pg_shadow or pg_group changes.
Well, pg_pwd is really there for passwords, and hba.c doesn't touch it.
It only gets read as part of actual authentication, while the group file
is used only in hba.c to load the connection patterns. Seems like
mixing them would cause more confusion than it is worth.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
