Tom Lane wrote: > Bruce Momjian <[EMAIL PROTECTED]> writes: > > Oh, so try it with and without. I can do that, but it seems more of a > > security problem where you were trying two names instead of one. Do > > people like that? > > The nice thing about it is you can have any combination of people with > installation-wide access (create them as joeblow) and people with > one-database access (create them as joeblow@joesdatabase). A special > case for only the postgres user is much less flexible.
Oh, yes, clearly a nice addition, but see below. > > It is easy to do, except for the fact we have to > > match pg_hba.conf with a username, though we could do the double-test > > there too, if that isn't too weird. > > It'd probably be better to first look at the flat-file copy of pg_shadow > to determine whether user or user@database is the form to use, and then > run through pg_hba.conf only once using the correct form. Otherwise > there are going to be all sorts of weird corner cases: user might match > a different pg_hba row than user@database does. Problem is that pg_shadow flat file _only_ has users with passwords. I do a btree search of that file, but I am not sure I want to add a dump of _all_ users just to allow this. Do we? > Also, if you do it this way then the substitution only has to be done in > one place: you can pass down the correct form to the backend, which'd > otherwise have to repeat the test to see which username is found. Yes, certainly a big win. What we _could_ do is to allow connections to template1 be unsuffixed by the dbname, but that makes everyone connecting to template1 have problems, and just seemed too weird. Ideas? -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
