Re: [v9.1] Add security hook on initialization of instance - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Re: [v9.1] Add security hook on initialization of instance
Date
Msg-id 4C3AA0E4.2040005@ak.jp.nec.com
Whole thread Raw
In response to Re: [v9.1] Add security hook on initialization of instance  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
(2010/07/09 23:52), Stephen Frost wrote:
> * Stephen Frost (sfrost@snowman.net) wrote:
>> Guess my first thought was that you'd have a database-level label that
>> would be used by SELinux to validate a connection.  A second thought is
>> labels for roles.  KaiGai, can you provide your thoughts on this
>> discussion/approach/problems?  I realize it's come a bit far-afield from
>> your original proposal.
> 
> Something else which has come up but is related is the ability to
> support a "pam_tally"-like function in PG.  Basically, the ability to
> lock users out if they've had too many failed login attempts.  I wonder
> if we could add this hook (or maybe have more than one if necessary) in
> a way to support a contrib module for that.
> 
It seems to me a good idea.

BTW, where do you intend to apply this "pam_tally" like functionality?
If it tries to lock users out on the identification stage; like the
pam_tally.so on operating systems, the hook should be placed on the
top-half of ClientAuthentication().

On the other hand, when we tries to set up properties of a certain user's
session, it needs to be placed on the authorization stage.
In the PG code, InitializeSessionUserId() just performs the role to assign
the authenticated user's identifier on the current session. It seems to me
it is a candidate where we put a hook on the authorization stage.

Of course, these are not exclusive. We can provide two hooks to provide
a chance to get control on identification and authorization stages.

Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: WIP patch: pass outer-relation Vars as parameters to indexscans
Next
From: KaiGai Kohei
Date:
Subject: Re: get_whatever_oid, part 2