Re: Allowing usernames in pg_hba.conf
От | Bruce Momjian |
---|---|
Тема | Re: Allowing usernames in pg_hba.conf |
Дата | |
Msg-id | 200203142133.g2ELXiY18733@candle.pha.pa.us обсуждение исходный текст |
Ответ на | Allowing usernames in pg_hba.conf (Bruce Momjian <pgman@candle.pha.pa.us>) |
Список | pgsql-hackers |
OK, I no one can seem to come up with an improved file format for pg_hba.conf so I am going to continue in the direction outlined in this email --- basically remove the auth_argument column and make it 'auth_type=auth_arg' and add a username column, plus add the ability for the username and database columns to use a secondary file if the column value starts with @. --------------------------------------------------------------------------- pgman wrote: > > This is definitely stressing pg_hba past its design limits --- heck, the > > name of the file isn't even appropriate anymore, if usernames are part > > of the match criteria. Rather than contorting things to maintain a > > pretense of backwards compatibility, it's time to abandon the current > > file format, change the name, and start over. (I believe there are > > traces in the code of this having been done before.) We could probably > > arrange to read and convert the existing pg_hba format if we don't see > > a new-style authentication config file out there. > > > > My first thoughts are (a) add a column outright for matching username; > > (b) for both database and username columns, allow a filename reference > > so that a bunch of names can be stored separately from the master > > authentication file. I don't much care for sticking large lists of > > names into the auth file itself. > > OK, I have an idea. I was never happy with the AUTH_ARGUMENT column. > What I propose is adding an optional auth_type=val capability to the > file, so an AUTH_ARGUMENT column isn't needed. If a username column > starts with @, it is a file name containing user names. The same can be > done with the database column. Seems very backward compatible.. If you > don't use auth_argument, it is totally compatible. If you do, you need > to use the new format auth_type=val: > > TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE USERNAMES > local all trust fred > host all 127.0.0.1 255.255.255.255 trust @staff > host all 127.0.0.1 255.255.255.255 ident=sales jimmy > > I have thought about a redesign of the file, but I can't come up with > something that is as powerful, and cleaner. Do others have ideas? > > As far as missing features, I can't think of other things people have > asked for in pg_hba.conf except usernames. > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: