On Tue, Jul 7, 2015 at 12:57:58PM -0400, Tom Lane wrote: > Andres Freund <and...@anarazel.de> writes: > > On 2015-07-07 12:03:36 -0400, Peter Eisentraut wrote: > >> I think the DN is analogous to the remote user name, which we don't > >> expose for any of the other authentication methods. > > > Huh? > > Peter's exactly right: there is no other case where you can tell what > some other connection's actual OS username is. You might *guess* that > it's the same as their database username, but you don't know that, > assuming you don't know how they authenticated. > > I'm not sure how security-critical this info really is, though.
I know I am coming in late here, but I know Heroku uses random user names to allow a cluster to have per-user databases without showing external user name details: => \du List of roles Role name | Attributes | Member of ----------------+------------------------------------------------+----------- aafgrwewediiqz | 20 connections | {} aaszwkfnholarh | 20 connections | {} aatbelxbaeriwy | 20 connections | {} aaxiwolkcxmbxo | 20 connections | {} abbyljzgqaonjb | 20 connections | {} I can see them having problems with a user being able to see the SSL remote user names of all connected users. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers