On Thu, 2021-01-28 at 18:22 +0000, Jacob Champion wrote: > = Proposal = > > I propose that every auth method should store the string it uses to > identify a user -- what I'll call an "authenticated identity" -- into > one central location in Port, after authentication succeeds but before > any pg_ident authorization occurs.
Thanks everyone for all of the feedback! Here's my summary of the conversation so far: - The idea of storing the user's original identity consistently across all auth methods seemed to be positively received. - Exposing this identity through log_line_prefix was not as well- received, landing somewhere between "meh" and "no thanks". The main concern was log bloat/expense. - Exposing it through the CSV log got the same reception: if we expose it through log_line_prefix, we should expose it through CSV, but no one seemed particularly excited about either. - The idea of logging this information once per session, as part of log_connection, got a more positive response. That way the information can still be obtained, but it doesn't clutter every log line. - There was also some interest in exposing this through the statistics collector, either as a superuser-only feature or via the pg_read_all_stats role. - There was some discussion around *which* string to choose as the identifer for more complicated cases, such as TLS client certificates. - Other improvements around third-party authorization and role management were discussed, including the ability to auto-create nonexistent roles, to sync role definitions as a first-party feature, and to query an external system for role authorization. (Let me know if there's something else I've missed.) == My Plans == Given the feedback above, I'll continue to flesh out the PoC patch, focusing on 1) storing the identity in a single place for all auth methods and 2) exposing it consistently in the logs as part of log_connections. I'll drop the log_line_prefix format specifier from the patch and see what that does to the testing side of things. I also plan to write a follow-up patch to add the authenticated identity to the statistics collector, with pg_get_authenticated_identity() to retrieve it. I'm excited to see where the third-party authz and role management conversations go, but I won't focus on those for my initial patchset. I think this patch has use even if those ideas are implemented too. --Jacob
