Tom Lane wrote:
>
> Mike Mascari <mascarm@mascari.com> writes:
> > SELECT authenticate(<userid>, <password>);
> > where <userid> and <password> are submitted by the client
> > application as input from the user.
>
> This seems like a completely redundant mechanism to me.
> What is wrong with using the *existing* user authentication
> mechanisms, and then using getpgusername() or CURRENT_USER
> in your queries?
I agree. I imagine the poster's development probably took
the same course as mine - first he was using PostgreSQL as a
backend to a web server, like Apache. He then probably using
Basic authentication with something like mod_auth_pgsql. In
order to authenticate web pages using something like
mod_auth_pgsql, the httpd user (www, nobody, etc.) would
connect to the database and check the user name and
encrypted password submitted against a user-specified table.
Since the only application that is going to be connecting to
PostgreSQL is the webserver, one is tempted (including me)
to create and manage fake webuser id's and passwords, and
only have a single real PostgreSQL user id connect to the
database...particularly when the webuser list numbers in the
thousands. That's why I attributed the LRU file descriptor
exhaustion problem I reported about a month ago to kernel
problems instead of the password authentication leak - 90%
of our users use the web-server. The httpd process runs as a
user id which does not have a shell account, and can only
connect to the database on localhost. This whole scheme
looks good at first, until you find yourself developing
Windows-based clients...You either have to shoe-horn in a
hack (like the above) or bite the bullet and migrate your
core authentication mechanism to PostgreSQL's.
> Proposed TODO:
> * Re-examine list of header files that get installed, add/delete as needed
>
> regards, tom lane
Sounds great. Although hopefully not needed in the next
release :-) , the most annoying thing in the past was the
inability to build a refint.so from the various binary
distributions...
Mike Mascari