* Henry B. Hotz (hotz@jpl.nasa.gov) wrote:
> What the krb5 method does is IMO a documented bug. The realm name is part
> of the name.
>
> As I explained at some length you cannot assume the username (first
> component of the principal) has any meaning by itself, except in small
> deployments with no external trust agreements. Kerberos (and AD) are
> designed to support larger infrastructures with multiple organizations.
This isn't unexpected for PG as the current krb5 support does this. I'm
not a big fan of it but at the same time I don't feel it's justification
to drop it from 8.3. Having it only allow the default realm would be an
option which could work in 8.3, imv. Longer term (since it's likely too
late to be accepted now), as I think has been discussed in the past, PG
could really use a .k5login-esque, either admin-only (ala pg_hba.conf /
ident map) or per-user (some sort of ALTER ROLE that a user could do on
himself?), mapping functionality.
It doesn't strike me as terribly complex or hard to do but it certainly
goes beyond the what is currently implemented for GSS in 8.3, and what
exists currently for krb5. It's also something which could,
technically, be added later. I do think it would be better done now
though, if possible, since otherwise we would have to default to the
current sub-par behaviour for quite some time (if not forever).
Thanks,
Stephen