Re: Connect as multiple users using single client certificate - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Connect as multiple users using single client certificate
Date
Msg-id 20191016225304.GM6962@tamriel.snowman.net
Whole thread Raw
In response to Re: Connect as multiple users using single client certificate  (Kyle Bateman <kyle@batemans.org>)
List pgsql-hackers
Greetings,

* Kyle Bateman (kyle@batemans.org) wrote:
> What I hope to accomplish is: Establish a secure, encrypted connection to
> Postgresql from a trusted process, possibly running on another machine, whom
> I trust to tell me which user (within a limited set, defined by a role) it
> would like to connect as.  That process does it's own robust authentication
> of users before letting them through to the database by the username they
> claim.  However, it is still useful to connect as different users because my
> views and functions operate differently depending on which user is on the
> other end of the connection.
>
> Is there a way I can accomplish this using the existing authentication
> methods (other than trust)?

Have you considered just having a regular client-side cert for the
middleware that logs in as a common user to the PG database, and then
performs a SET ROLE to whichever user the middleware has authenticated
the user as?  That seems to match pretty closely what you're looking for
and has the advantage that it'll also allow you to work through
connection poolers.

Thanks,

Stephen

Attachment

pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: v12 and pg_restore -f-
Next
From: Greg Stark
Date:
Subject: Re: maintenance_work_mem used by Vacuum