Thread: Re: Extending SET SESSION AUTHORIZATION

Re: Extending SET SESSION AUTHORIZATION

From
Bruce Momjian
Date:
Ezra Epstein wrote:
> 
> I'd like to extend SET SESSION AUTHORIZATION to support a form which takes a
> password.  Looking at the source it seems, other than changes to the parser,
> there are only 2 relevant functions in 2 files that would be affected.  Each
> function is quite small and its function is clear.
> 
> I did not find this functionality on the current to-do list:
>     http://developer.postgresql.org/todo.php
> And I'm quite new to the PG backend.  I don't want to code something up that
> is unwelcome by the developers.  On the other hand, if appropriate/accepted,
> I'd be glad to write this little addition to the current functionality.

[ CC to hackers added.]

Uh, a password?  What purpose would that serve?  Isn't that something
you control when attaching to the database?  Is this for prompting for
a username password?  The problem is that the SQL query passing isn't
secure like the way we send passwords using libpq, so I don't think this
would be secure or wise to hardcode a password in the SQL.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


Re: Extending SET SESSION AUTHORIZATION

From
Tom Lane
Date:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Ezra Epstein wrote:
>> I'd like to extend SET SESSION AUTHORIZATION to support a form which takes a
>> password.

> Uh, a password?  What purpose would that serve?

Indeed.  SET SESSION AUTH is already allowed only to superusers --- a
superuser hardly needs any additional privileges to become whoever he
wants.
        regards, tom lane


Re: Extending SET SESSION AUTHORIZATION

From
"Ezra Epstein"
Date:
> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: Monday, January 26, 2004 7:56 PM
> To: Bruce Momjian
> Cc: eepstein@prajnait.com; PostgreSQL-development
> Subject: Re: [HACKERS] Extending SET SESSION AUTHORIZATION
>
>
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Ezra Epstein wrote:
> >> I'd like to extend SET SESSION AUTHORIZATION to support a form
> which takes a
> >> password.
>
> > Uh, a password?  What purpose would that serve?
>
> Indeed.  SET SESSION AUTH is already allowed only to superusers --- a
> superuser hardly needs any additional privileges to become whoever he
> wants.
>
>             regards, tom lane
>

For exactly the opposite usage: allowing a non-privileged user to take on a
different authorization IFF a password is also supplied.  This allows a user
to use an existing connection (so, for example, connection pooling works)
and not require a high priv'd account to then act as a specific (and
specifically priv'd) user of the system.

E.g., I could then have a user who has only connection privs for the DB and
then use a SET SESSION AUTH as a means of "logging in" as a specific user.
What this buys me:    Connection pooling (critical for volume web apps)    Postgres (DB) level enforcement of
privilegesvia GRANT and REVOKE : so
 
that my priv scheme is consistent across db access methods and I don't have
to be too concerned about replicating the authorization logic out in the app
layer.

== Ezra Epstein.




Re: Extending SET SESSION AUTHORIZATION

From
Shridhar Daithankar
Date:
Tom Lane wrote:

> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> 
>>Ezra Epstein wrote:
>>
>>>I'd like to extend SET SESSION AUTHORIZATION to support a form which takes a
>>>password.
> 
> 
>>Uh, a password?  What purpose would that serve?
> 
> 
> Indeed.  SET SESSION AUTH is already allowed only to superusers --- a
> superuser hardly needs any additional privileges to become whoever he
> wants.

It is very helpful for connection pooling/persistent connections. Say I have 10 
connections opened as superuser. I can switch the connection authorization per 
query and let database enforce the rules and access control.

For authentication, I can keep a dummy connection.

There could be multiple ways to improve this behaviour.

1. If a non super-user attempts set session authorization, let him do so with 
proper password.

2. Add password to set session authorization as suggested above.

I would prefer this actually. In case the application is breached, with option 
2, the database is left wide open. With option 1, that may not be the case if 
initial connection is with a sufficiently unprivilaged user. But then I need to 
cache the actual password, which is another can of worms..:-(

Additionally it would be great if libpq could just authenticate a user without 
forking a backend. I think some kind of PAM voodoo can be substituted for that 
but having a libpq frontend is great.

I did suggest this earlier as well. Just reiterating..
 Shridhar