Re: [PATCH] Support using "all" for the db user in pg_ident.conf - Mailing list pgsql-hackers

From Michael Paquier
Subject Re: [PATCH] Support using "all" for the db user in pg_ident.conf
Date
Msg-id Y6uJiZK3V2f5XK6w@paquier.xyz
Whole thread Raw
In response to [PATCH] Support using "all" for the db user in pg_ident.conf  (Jelte Fennema <Jelte.Fennema@microsoft.com>)
List pgsql-hackers
On Tue, Dec 27, 2022 at 03:54:46PM +0000, Jelte Fennema wrote:
> This change makes it much easier to have a certain database
> administrator peer or cert authentication, that allows connecting as
> any user. Without this change you would need to add a line to
> pg_ident.conf for every user that is in the database.

That seems pretty dangerous to me.  For one, how does this work in
cases where we expect the ident entry to be case-sensitive, aka
authentication methods where check_ident_usermap() and check_usermap()
use case_insensitive = false?

Anyway, it is a bit confusing to see a patch touching parts of the
ident code related to the system-username while it claims to provide a
mean to shortcut a check on the database-username.  If you think that
some renames should be done to IdentLine, these ought to be done
first.
--
Michael

Attachment

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Removing redundant grouping columns
Next
From: Michael Paquier
Date:
Subject: Re: recovery modules