On 5/13/21 7:38 PM, Bossart, Nathan wrote:
> Hi hackers,
>
> I've attached a small patch that allows specifying only direct members
> of a group in pg_hba.conf. The "+" prefix offered today matches both
> direct and indirect role members, which may complicate some role
> setups. For example, if you have one set of roles that are members of
> the "pam" role and another set that are members of the "scram-sha-256"
> role, granting membership in a PAM role to a SCRAM role might
> inadvertently modify the desired authentication method for the
> grantee. If only direct membership is considered, no such inadvertent
> authentication method change would occur.
>
> I chose "&" as a new group name prefix for this purpose. This choice
> seemed as good as any, but I'm open to changing it if anyone has
> suggestions. For determining direct role membership, I added a new
> function in acl.c that matches other related functions. I added a new
> role cache type since it seemed to fit in reasonably well, but it seems
> unlikely that there is any real performance benefit versus simply
> open-coding the syscache lookup.
>
> I didn't see any existing authentication tests for groups at first
> glance. If folks are interested in this functionality, I can work on
> adding some tests for this stuff.
>
Do we really want to be creating two classes of role membership?
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com