Re: rolcanlogin vs. the flat password file - Mailing list pgsql-hackers

From Heikki Linnakangas
Subject Re: rolcanlogin vs. the flat password file
Date
Msg-id 471626F9.4040502@enterprisedb.com
Whole thread Raw
In response to Re: rolcanlogin vs. the flat password file  (Magnus Hagander <magnus@hagander.net>)
Responses Re: rolcanlogin vs. the flat password file
List pgsql-hackers
Magnus Hagander wrote:
> On Sun, Oct 14, 2007 at 06:16:04PM -0400, Stephen Frost wrote:
>> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>>>> Stephen Frost <sfrost@snowman.net> writes:
>>>>> I wonder if the OP was unhappy because he created a role w/ a pw and
>>>>> then couldn't figure out why the user couldn't log in?
>>>> Hm, maybe.  In that case just not filtering the entry out of the flat
>>>> file would be good enough.
>>> I've confirmed the confusing behavior in CVS HEAD.  With password auth
>>> selected in pg_hba.conf:
>> [...]
>>> Should we just do this, or is it worth working harder?
>> I certainly like this.  Honestly, I'd also like the warning when doing a
>> 'create role'/'alter role' that sets/changes the pw on an account that
>> doesn't have 'rolcanlogin'.  Much better to have me notice that I goof'd
>> the command and fix it before telling the user 'go ahead and log in'
>> than to have the user complain that it's not working. :)
>>
>> Just my 2c.
> 
> I think that's a good idea. Attached is a patch that implements this (I
> think - haven't messed around in that area of the code before). Thoughts?

Is WARNING an appropriate level for this? I think NOTICE is enough, it's
not like something bad is going to happen if you do that, it just means
that you've likely screwed up.

There's legitimate use for creating a role with NOLOGIN and a password.
Maybe you're going to give login privilege later on. It wouldn't be nice
to get WARNINGs in that case, even NOTICEs would be sligthly annoying.

Note that per-role guc variables will also have no effect on a role with
no login privilege. How about connection limit, is that inherited?

--  Heikki Linnakangas EnterpriseDB   http://www.enterprisedb.com


pgsql-hackers by date:

Previous
From: Hannes Eder
Date:
Subject: Re: random dataset generator for SKYLINE operator
Next
From: Tom Lane
Date:
Subject: Re: [COMMITTERS] pgsql: Re-allow UTF8 encodings on win32.