Thread: nested xacts: update password file
An untested patch to update the password file. Something that bugged me a lot is that I tried to find the format of the file for testing the patch, and I couldn't find anything anywhere in the docs. Apparently the docs for the file were ripped with the docs for the pg_passwd utility when it was ripped before the 7.3 release. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "Some men are heterosexual, and some are bisexual, and some men don't think about sex at all... they become lawyers" (Woody Allen)
Attachment
Alvaro, you call GetParentTransactionId(), but I see not definition for it in the code. --------------------------------------------------------------------------- Alvaro Herrera wrote: > An untested patch to update the password file. > > Something that bugged me a lot is that I tried to find the format of the > file for testing the patch, and I couldn't find anything anywhere in the > docs. Apparently the docs for the file were ripped with the docs for > the pg_passwd utility when it was ripped before the 7.3 release. > > -- > Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) > "Some men are heterosexual, and some are bisexual, and some > men don't think about sex at all... they become lawyers" (Woody Allen) [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
On Mon, Jul 12, 2004 at 12:05:40PM -0400, Bruce Momjian wrote: > > Alvaro, you call GetParentTransactionId(), but I see not definition for > it in the code. Let me include this patch in the next patch I'll submit shortly. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." (L. Torvalds)
OK. Also, I would like you to post a list of the open items you have so we can all know the status. --------------------------------------------------------------------------- Alvaro Herrera wrote: > On Mon, Jul 12, 2004 at 12:05:40PM -0400, Bruce Momjian wrote: > > > > Alvaro, you call GetParentTransactionId(), but I see not definition for > > it in the code. > > Let me include this patch in the next patch I'll submit shortly. > > -- > Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) > "I suspect most samba developers are already technically insane... > Of course, since many of them are Australians, you can't tell." (L. Torvalds) > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Patch withdrawn by author. --------------------------------------------------------------------------- Alvaro Herrera wrote: > An untested patch to update the password file. > > Something that bugged me a lot is that I tried to find the format of the > file for testing the patch, and I couldn't find anything anywhere in the > docs. Apparently the docs for the file were ripped with the docs for > the pg_passwd utility when it was ripped before the 7.3 release. > > -- > Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) > "Some men are heterosexual, and some are bisexual, and some > men don't think about sex at all... they become lawyers" (Woody Allen) [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Alvaro, you call GetParentTransactionId(), but I see not definition for
> it in the code.
It looks like Alvaro forgot to include diffs for xact.c in that patch.
I imagine what he had in mind was to add such a function to xact.c.
I would like to counsel *not* doing that, mainly because it wouldn't
have any well-defined result when not inside a subxact. What we are
doing for other end-of-subxact functions is to pass the parent XID
explicitly as a parameter; it seems best to me to adopt that approach
for the password function too.
Another minor gripe is the comment that says this logic matches inval.c;
that's not true anymore, I think.
Other than that the patch looks okay to me, but I'll wait for Alvaro
to submit a combined patch rather than adjusting xact.c underneath him.
A todo item for you, Bruce, is to put back the missing documentation
that Alvaro complained of:
>> Something that bugged me a lot is that I tried to find the format of the
>> file for testing the patch, and I couldn't find anything anywhere in the
>> docs. Apparently the docs for the file were ripped with the docs for
>> the pg_passwd utility when it was ripped before the 7.3 release.
regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > Alvaro, you call GetParentTransactionId(), but I see not definition for > > it in the code. > > It looks like Alvaro forgot to include diffs for xact.c in that patch. > I imagine what he had in mind was to add such a function to xact.c. > > I would like to counsel *not* doing that, mainly because it wouldn't > have any well-defined result when not inside a subxact. What we are > doing for other end-of-subxact functions is to pass the parent XID > explicitly as a parameter; it seems best to me to adopt that approach > for the password function too. > > Another minor gripe is the comment that says this logic matches inval.c; > that's not true anymore, I think. > > Other than that the patch looks okay to me, but I'll wait for Alvaro > to submit a combined patch rather than adjusting xact.c underneath him. Alvaro is resubmitting. > A todo item for you, Bruce, is to put back the missing documentation > that Alvaro complained of: > > >> Something that bugged me a lot is that I tried to find the format of the > >> file for testing the patch, and I couldn't find anything anywhere in the > >> docs. Apparently the docs for the file were ripped with the docs for > >> the pg_passwd utility when it was ripped before the 7.3 release. I was confused by this. What docs for the password file did we have? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
OK, but why would we document the contents of a file that are not to be modified by the user? --------------------------------------------------------------------------- Alvaro Herrera wrote: > On Mon, Jul 12, 2004 at 02:18:40PM -0400, Bruce Momjian wrote: > > > > >> Something that bugged me a lot is that I tried to find the format of the > > > >> file for testing the patch, and I couldn't find anything anywhere in the > > > >> docs. Apparently the docs for the file were ripped with the docs for > > > >> the pg_passwd utility when it was ripped before the 7.3 release. > > > > I was confused by this. What docs for the password file did we have? > > I see this in 7.2 docs. This is not mentioned anywhere in current docs. > Does it work with other auth mechanisms (md5, crypt)? > > <para> > The format of a text password file is one entry per line; the fields > of each entry are separated by colons. The first field is the user > name, the second field is the encrypted password. Other fields are > ignored (to allow password files to be shared between applications > that use similar formats). <application>pg_passwd</application> > enables users to interactively add entries to such a file, to alter > passwords of existing entries, and to encrypt such passwords. > </para> > > [...] > > <para> > To make use of this password file, put a line like the following in > <filename>pg_hba.conf</filename>: > > <programlisting> > host mydb 133.65.96.250 255.255.255.255 password passwords > </programlisting> > > which would allow access to database mydb from host 133.65.96.250 using > the passwords listed in the <filename>passwords</filename> file (and > only to the users listed in that file). > </para> > > <note> > <para> > It is also useful to have entries in a password file with empty > password fields. (This is different from an empty password.) Such > entries allow you to restrict users who can access the system. These > entries cannot be managed by <application>pg_passwd</application>, > but you can edit password files manually. > </para> > </note> > > > -- > Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) > "La primera ley de las demostraciones en vivo es: no trate de usar el sistema. > Escriba un gui?n que no toque nada para no causar da?os." (Jakob Nielsen) > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> OK, but why would we document the contents of a file that are not to be
> modified by the user?
Also note that the 7.2 docs are out of date anyway (looks to me like
we use spaces not colons as column separators...)
regards, tom lane
On Mon, Jul 12, 2004 at 02:18:40PM -0400, Bruce Momjian wrote:
> > >> Something that bugged me a lot is that I tried to find the format of the
> > >> file for testing the patch, and I couldn't find anything anywhere in the
> > >> docs. Apparently the docs for the file were ripped with the docs for
> > >> the pg_passwd utility when it was ripped before the 7.3 release.
>
> I was confused by this. What docs for the password file did we have?
I see this in 7.2 docs. This is not mentioned anywhere in current docs.
Does it work with other auth mechanisms (md5, crypt)?
<para>
The format of a text password file is one entry per line; the fields
of each entry are separated by colons. The first field is the user
name, the second field is the encrypted password. Other fields are
ignored (to allow password files to be shared between applications
that use similar formats). <application>pg_passwd</application>
enables users to interactively add entries to such a file, to alter
passwords of existing entries, and to encrypt such passwords.
</para>
[...]
<para>
To make use of this password file, put a line like the following in
<filename>pg_hba.conf</filename>:
<programlisting>
host mydb 133.65.96.250 255.255.255.255 password passwords
</programlisting>
which would allow access to database mydb from host 133.65.96.250 using
the passwords listed in the <filename>passwords</filename> file (and
only to the users listed in that file).
</para>
<note>
<para>
It is also useful to have entries in a password file with empty
password fields. (This is different from an empty password.) Such
entries allow you to restrict users who can access the system. These
entries cannot be managed by <application>pg_passwd</application>,
but you can edit password files manually.
</para>
</note>
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La primera ley de las demostraciones en vivo es: no trate de usar el sistema.
Escriba un guión que no toque nada para no causar daños." (Jakob Nielsen)
On Mon, Jul 12, 2004 at 02:31:37PM -0400, Bruce Momjian wrote: > OK, but why would we document the contents of a file that are not to be > modified by the user? But how is the file used? Where do I put the file, what do I put in pg_hba.conf to use the file? Can I have several files, one per pg_hba.conf entry? Can I use multiple files with a single pg_hba.conf entry? What happens if I have a username that has the separator in it? -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "Los dioses no protegen a los insensatos. Éstos reciben protección de otros insensatos mejor dotados" (Luis Wu, Mundo Anillo)
Alvaro Herrera wrote: > On Mon, Jul 12, 2004 at 02:31:37PM -0400, Bruce Momjian wrote: > > > OK, but why would we document the contents of a file that are not to be > > modified by the user? > > But how is the file used? Where do I put the file, what do I put in > pg_hba.conf to use the file? Can I have several files, one per > pg_hba.conf entry? Can I use multiple files with a single pg_hba.conf > entry? What happens if I have a username that has the separator in it? We no longer have the capability for external password files, which is what the 7.2 docs were talking about. We removed it when we went to encrypted MD5 password and pg_hba.conf entries where you can reference external lists of users and groups. The file you were touching is a cache of usernames written by backends modifing the pg_shadow table and read by the postmaster. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Alvaro Herrera <alvherre@dcc.uchile.cl> writes:
> But how is the file used? Where do I put the file, what do I put in
> pg_hba.conf to use the file? Can I have several files, one per
> pg_hba.conf entry? Can I use multiple files with a single pg_hba.conf
> entry? What happens if I have a username that has the separator in it?
You don't do anything with it directly. Just create some users and
assign them some passwords and see if the file updates (or even
more directly, try to log in using password auth). It's just a
transmission mechanism to put the important parts of pg_shadow and
pg_group in a place where the postmaster can read 'em.
regards, tom lane
On Mon, Jul 12, 2004 at 03:19:43PM -0400, Bruce Momjian wrote: > Alvaro Herrera wrote: > > On Mon, Jul 12, 2004 at 02:31:37PM -0400, Bruce Momjian wrote: > > > > > OK, but why would we document the contents of a file that are not to be > > > modified by the user? > > > > But how is the file used? Where do I put the file, what do I put in > > pg_hba.conf to use the file? Can I have several files, one per > > pg_hba.conf entry? Can I use multiple files with a single pg_hba.conf > > entry? What happens if I have a username that has the separator in it? > > We no longer have the capability for external password files, which is > what the 7.2 docs were talking about. We removed it when we went to > encrypted MD5 password and pg_hba.conf entries where you can reference > external lists of users and groups. > > The file you were touching is a cache of usernames written by backends > modifing the pg_shadow table and read by the postmaster. Oh, I see! Thanks for the clarification. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "XML!" Exclaimed C++. "What are you doing here? You're not a programming language." "Tell that to the people who use me," said XML.