Обсуждение: Authentication problem

Поиск
Список
Период
Сортировка

Authentication problem

От
Dmitry Morozovsky
Дата:
Hi there colleagues,

From the Docs (Admin 4.1):

    There is no "fall-through" or "backup": if one record is chosen
    and the authentication fails, the following records are not
    considered.

Are there any plans to loose this restriction? It would be very useful
to use e.g.

local    all        ident        admin
local    sameuser    ident        sameuser
local    all        password    passwd.user


and have backup pseudo-users in admin ident-map, allow connecting users to
personal databases and list exceptions in password file.

Or, is there another way to achieve this?

Also, of course, it would be _very_ useful to tell full connects and
read-only connects (not allowed to create tables/indexes/views/etc...)

Sincerely,
D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------

Re: Authentication problem

От
Tom Lane
Дата:
Dmitry Morozovsky <marck@rinet.ru> writes:
>     There is no "fall-through" or "backup": if one record is chosen
>     and the authentication fails, the following records are not
>     considered.

> Are there any plans to loose this restriction?

No.  I don't believe we could count on clients to respond to multiple
authentication challenges of different types.

> It would be very useful to use e.g.

> local    all        ident        admin
> local    sameuser    ident        sameuser
> local    all        password    passwd.user

The "sameuser" part of this works now, since sameuser is a record
matching constraint, not an authentication test.

There has been some talk of adding a more flexible username-matching
field to pg_hba (whereupon the file name would be inappropriate ;-))
but no one's really done any work on it.

            regards, tom lane

Re: Authentication problem

От
Bruce Momjian
Дата:
> The "sameuser" part of this works now, since sameuser is a record
> matching constraint, not an authentication test.
>
> There has been some talk of adding a more flexible username-matching
> field to pg_hba (whereupon the file name would be inappropriate ;-))
> but no one's really done any work on it.

I hope to add the username for 7.3.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026