Re: [Patch] Using Windows groups for SSPI authentication - Mailing list pgsql-hackers

From Russell Foster
Subject Re: [Patch] Using Windows groups for SSPI authentication
Date
Msg-id CA+VXQbJ9Rqm25mZMNgrDusD_uZbo59S4hW14y+zLOwtUBmnnOQ@mail.gmail.com
Whole thread Raw
In response to Re: [Patch] Using Windows groups for SSPI authentication  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Going to take a guess at what you mean by:

I do object to using syntax that makes random assumptions about what a
user name can or can't be.

Are you referring to the "+" syntax in the ident file? I chose that because somewhere else (hba?) using the same syntax for groups. The quotes are just there to make the  group name case sensitive.


On Tue, Oct 13, 2020 at 1:15 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Russell Foster <russell.foster.coding@gmail.com> writes:
> I have some code that I've been using that supports adding and
> authenticating Windows groups via the pg_ident file. This is useful for
> sysadmins as it lets them control database access outside the database
> using Windows groups. It has a new
> indicator (+), that signifies the identifier is a Windows group, as in the
> following example:

> # MAPNAME SYSTEM-USERNAME PG-USERNAME
> "Users" "+User group" postgres

While I don't object to adding functionality to access Windows groups,
I do object to using syntax that makes random assumptions about what a
user name can or can't be.

There was a prior discussion of this in the context of some other patch
that had a similar idea.  [ digs in archives... ]  Ah, here it is:

https://www.postgresql.org/message-id/flat/4ba3ad54-bb32-98c6-033a-ccca7058fc2f%402ndquadrant.com

It doesn't look like we arrived at any firm consensus about what to
do instead, but maybe you can find some ideas there.

                        regards, tom lane

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: setLastTid() and currtid()
Next
From: Benoit Marchant
Date:
Subject: Using pgadmin with AWS RDS https based Data API