Re: [QUESTIONS] How is PostgreSQL doing?
I found this patch in my mailbox. Is there any intestest in this, or is
it too site-specific?
Eze Ogwuma writes:
Bruce Momjian <maillist@candle.pha.pa.us> writes:
Can you be specific? Something I can add to the TODO list.
Database based access for users so that each user can be giving access
to a particular database only. More permissions for each databse user:
Create, Drop, Select, Insert etc. Possibly table based
authentification as well.I needed to do that for the web database that I'm setting up. We have
20000 users and each (potentially) needs a separate database which is
only accessible to them. Rather than having 20000 lines in pg_hba.conf,
I've patched Postgres so that the special token "%username" in the
database field of pg_hba.conf allows access only to the username which
is connecting. (I chose the leading "%" so that it couldn't clash with
a real database name.) Since the patch is against 6.1 rather than
6.2beta, I hadn't made it public. Here it is in case it's of interest.----------------------------- cut here ----------------------------- --- postgresql-v6.1/src/include/libpq/hba.h.ORI Wed Jul 30 18:05:12 1997 +++ postgresql-v6.1/src/include/libpq/hba.h Wed Jul 30 18:05:37 1997 @@ -42,7 +42,7 @@ hba_recvauth(const Port *port, const char database[], const char user[], const char DataDir[]); void find_hba_entry(const char DataDir[], const struct in_addr ip_addr, - const char database[], + const char user[], const char database[], bool *host_ok_p, enum Userauth *userauth_p, char usermap_name[], bool find_password_entries);--- postgresql-v6.1/src/backend/libpq/hba.c.ORI Wed Jul 30 18:05:47 1997 +++ postgresql-v6.1/src/backend/libpq/hba.c Thu Jul 31 14:18:03 1997 @@ -144,8 +144,8 @@static void process_hba_record(FILE *file, - const struct in_addr ip_addr, const char database[], - bool *matches_p, bool *error_p, + const struct in_addr ip_addr, const char user[], + const char database[], bool *matches_p, bool *error_p, enum Userauth *userauth_p, char usermap_name[], bool find_password_entries) { /*--------------------------------------------------------------------------- @@ -173,7 +173,8 @@ if (buf[0] == '\0') *matches_p = false; else { /* If this record isn't for our database, ignore it. */ - if (strcmp(buf, database) != 0 && strcmp(buf, "all") != 0) { + if (strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 + && (strcmp(buf, "%username") != 0 || strcmp(user, database) != 0)) { *matches_p = false; read_through_eol(file); } else { @@ -235,7 +236,8 @@static void process_open_config_file(FILE *file, - const struct in_addr ip_addr, const char database[], + const struct in_addr ip_addr, + const char user[], const char database[], bool *host_ok_p, enum Userauth *userauth_p, char usermap_name[], bool find_password_entries) { /*--------------------------------------------------------------------------- @@ -261,7 +263,7 @@ else { if (c == '#') read_through_eol(file); else { - process_hba_record(file, ip_addr, database, + process_hba_record(file, ip_addr, user, database, &found_entry, &error, userauth_p, usermap_name, find_password_entries); } @@ -277,7 +279,7 @@void find_hba_entry(const char DataDir[], const struct in_addr ip_addr, - const char database[], + const char user[], const char database[], bool *host_ok_p, enum Userauth *userauth_p, char usermap_name[], bool find_password_entries) { /*-------------------------------------------------------------------------- @@ -348,8 +350,8 @@ fputs(PQerrormsg, stderr); pqdebug("%s", PQerrormsg); } else { - process_open_config_file(file, ip_addr, database, host_ok_p, userauth_p, - usermap_name, find_password_entries); + process_open_config_file(file, ip_addr, user, database, host_ok_p, + userauth_p, usermap_name, find_password_entries); fclose(file); } free(conf_file); @@ -719,7 +721,7 @@ /* Our eventual return value */- find_hba_entry(DataDir, port->raddr.sin_addr, database, + find_hba_entry(DataDir, port->raddr.sin_addr, user, database, &host_ok, &userauth, usermap_name, false /* don't find password entries of type 'password' */);--- postgresql-v6.1/src/backend/libpq/password.c.ORI Wed Jul 30 18:05:55 1997 +++ postgresql-v6.1/src/backend/libpq/password.c Wed Jul 30 18:06:43 1997 @@ -23,7 +23,7 @@ char *p, *test_user, *test_pw; char salt[3];- find_hba_entry(DataDir, port->raddr.sin_addr, database, + find_hba_entry(DataDir, port->raddr.sin_addr, user, database, &host_ok, &userauth, pw_file_name, true);if(!host_ok) {
----------------------------- cut here -------------------------------Malcolm
--
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services
--
Bruce Momjian
maillist@candle.pha.pa.us
Import Notes
Reply to msg id not found: 199709301011.LAA18359@sable.ox.ac.uk
I found this patch in my mailbox. Is there any intestest in this, or is
it too site-specific?Eze Ogwuma writes:
Bruce Momjian <maillist@candle.pha.pa.us> writes:
Can you be specific? Something I can add to the TODO list.
Database based access for users so that each user can be giving access
to a particular database only. More permissions for each databse user:
Create, Drop, Select, Insert etc. Possibly table based
authentification as well.I needed to do that for the web database that I'm setting up. We have
20000 users and each (potentially) needs a separate database which is
only accessible to them. Rather than having 20000 lines in pg_hba.conf,
I've patched Postgres so that the special token "%username" in the
database field of pg_hba.conf allows access only to the username which
is connecting. (I chose the leading "%" so that it couldn't clash with
a real database name.) Since the patch is against 6.1 rather than
6.2beta, I hadn't made it public. Here it is in case it's of interest.
Yes please! I'd like to see this...
Andrew
----------------------------------------------------------------------------
Dr. Andrew C.R. Martin University College London
EMAIL: (Work) martin@biochem.ucl.ac.uk (Home) andrew@stagleys.demon.co.uk
URL: http://www.biochem.ucl.ac.uk/~martin
Tel: (Work) +44(0)171 419 3890 (Home) +44(0)1372 275775
Import Notes
Resolved by subject fallback
I found this patch in my mailbox. Is there any intestest in this, or is
it too site-specific?Eze Ogwuma writes:
Bruce Momjian <maillist@candle.pha.pa.us> writes:
Can you be specific? Something I can add to the TODO list.
Database based access for users so that each user can be giving access
to a particular database only. More permissions for each databse user:
Create, Drop, Select, Insert etc. Possibly table based
authentification as well.I needed to do that for the web database that I'm setting up. We have
20000 users and each (potentially) needs a separate database which is
only accessible to them. Rather than having 20000 lines in pg_hba.conf,
I've patched Postgres so that the special token "%username" in the
database field of pg_hba.conf allows access only to the username which
is connecting. (I chose the leading "%" so that it couldn't clash with
a real database name.) Since the patch is against 6.1 rather than
6.2beta, I hadn't made it public. Here it is in case it's of interest.Yes please! I'd like to see this...
I think it may already be there, but with no documentation in
pg_hba.conf:
See backend/libpq/hba.c:
Special case: For usermap "sameuser", don't look in the usermap
file. That's an implied map where "pguser" must be identical to
"ident_username" in order to be authorized.
--
Bruce Momjian
maillist@candle.pha.pa.us
I found this patch in my mailbox. Is there any intestest in this, or is
it too site-specific?Eze Ogwuma writes:
Bruce Momjian <maillist@candle.pha.pa.us> writes:
Can you be specific? Something I can add to the TODO list.
Database based access for users so that each user can be giving access
to a particular database only. More permissions for each databse user:
Create, Drop, Select, Insert etc. Possibly table based
authentification as well.I needed to do that for the web database that I'm setting up. We have
20000 users and each (potentially) needs a separate database which is
only accessible to them. Rather than having 20000 lines in pg_hba.conf,
I've patched Postgres so that the special token "%username" in the
So someone wasted their time writing this patch, 'cos the facility wasn't
documented properly ?????
Yes please! I'd like to see this...
I think it may already be there, but with no documentation in
pg_hba.conf:See backend/libpq/hba.c:
Special case: For usermap "sameuser", don't look in the usermap
file. That's an implied map where "pguser" must be identical to
"ident_username" in order to be authorized.
The terminology isn't exactly clear :-)
I hope this gets documented properly and comprehensibly!!!! I can't same
I'm any wiser from reading that as to what one needs to do (though I guess
I might be if I read it in conjunction with the hba instructions).
<RANT ON>
Might I ask again that people send patches in for the documentation WHENEVER
they add a new feature!
There is no point in adding new and wonderful things if users don't know
they exist!!!!! When someone ends up duplicating functionality 'cos they
don't know that a feature exists, that's even worse........
<RANT OFF>
Andrew
----------------------------------------------------------------------------
Dr. Andrew C.R. Martin University College London
EMAIL: (Work) martin@biochem.ucl.ac.uk (Home) andrew@stagleys.demon.co.uk
URL: http://www.biochem.ucl.ac.uk/~martin
Tel: (Work) +44(0)171 419 3890 (Home) +44(0)1372 275775
Import Notes
Resolved by subject fallback
I've patched Postgres so that the special token "%username" in the
So someone wasted their time writing this patch, 'cos the facility wasn't
documented properly ?????
Yep, that's what happened.
I hope this gets documented properly and comprehensibly!!!! I can't same
I'm any wiser from reading that as to what one needs to do (though I guess
I might be if I read it in conjunction with the hba instructions).
Phil kindely just added several mentions to the pg_hba.conf file, with
examples of its use.
# ident: Authentication is done by the ident server on the remote
# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if
# specified, is a map name to be found in the pg_ident.conf file.
# That table maps from ident usernames to Postgres usernames. The
# special map name "sameuser" indicates an implied map (not found
# in pg_ident.conf) that maps every ident username to the identical
# Postgres username.
#
<RANT ON>
Might I ask again that people send patches in for the documentation WHENEVER
they add a new feature!There is no point in adding new and wonderful things if users don't know
they exist!!!!! When someone ends up duplicating functionality 'cos they
don't know that a feature exists, that's even worse........
<RANT OFF>
I usually check before each release to be sure each new feature is
documented, but in this case, there was no mention that the feature
existed.
Never hurts to remind people to send manual page changes too, though
people are usually pretty good about it.
--
Bruce Momjian maillist@candle.pha.pa.us