Re: Password sub-process ...

On Mon, 29 Jul 2002, Bruce Momjian wrote:

> Actually, it is replaced by encrypted pg_shadow by default in 7.3, and
> the new USER (users or groups) column in pg_hba.conf that will be in 7.3
> that can restrict based on user/group.  This replaces the use of the
> secondary file for just usernames.  You can now specify a filename in
> pg_hba.conf listing these.  Would you look over the pg_hba.conf in CVS
> and tell me what additional things are needed.

Wow, what a change ... some nice stuff in there, mind you, but unless I'm
missing something, you've thrown out some *major* functionality that we
had before :( And since I missed this, its quite possible that i am
missing something :)

First and foremost in my mind ... how do you have two users in the system
with seperate passwords?

For instance, I have an application that right now that each authenticated
user has a seperate userid/pass in pg_user ... this doesn't deal will with
running multiple instances of this app on the same instance of PgSQL,
since as soon as there are two 'bruce' users, only one can have a password
... I could run two instances of PgSQL, but then you have to split the
resources between the two, instead of, for instance, having one great big
shared memory pool attached to one instance to cover both ...

So, I recode the app (yes, I have an app that was coded like this that I
have to fix ... we weren't thinking when we wrote that section) so that
when I add a new user to the application it does two things:
1. adds the username to pg_user *if* required2. adds the username/password to a "password" file specific to   that
instanceof the application
 

So, unless I've missed something, in v7.3, this won't be possible?

Somehow, I need to be able to have two users Bruce in pg_users, each with
seperate passwords, with Bruce with pass1 having access to database1 and
Bruce with pass2 having access to database2 ...

Now, to knock out some thoughts here ... would it be possible to add a
field to pg_{user,shadow} to state what database that userid/passwd pair
belongs to?  so, if AUTHTYPE == md5 or password, authentication would be
based on all those users that 'belong' to that database?  This could add
the ability for a database owner to easily add a user for his/her
database, in that if a user is created within a specific database by a
non-superuse account, it automatically assigns that user to that database?

CREATE USER would have an extra, option paramater of 'FOR <database>'?