Re: [PATCHES] [HACKERS] elog(FATAL)ing non-existent roles during client

Mon, 04 Dec 2006 05:55:51 -0800 

On Tue, 5 Dec 2006, Gavin Sherry wrote:

> On Thu, 30 Nov 2006, Tom Lane wrote:
>
> > Gavin Sherry <[EMAIL PROTECTED]> writes:
> > > I wonder if we should check if the role exists for the other
> > > authentication methods too? get_role_line() should be very cheap and it
> > > would prevent unnecessary authentication work if we did it before
> > > contacting, for example, the client ident server. Even with trust, it
> > > would save work because otherwise we do not check if the user exists until
> > > InitializeSessionUserId(), at which time we're set up our proc entry etc.
> >
> > This only saves work if the supplied ID is in fact invalid, which one
> > would surely think isn't the normal case; otherwise it costs more.
>
> Yes.
>
> > I could see doing this in the ident path, because contacting a remote
> > ident server is certainly expensive on both sides.  I doubt it's a good
> > idea in the trust case.
>
> Agreed. How about Kerberos too, applying the same logic?

Attached is a patch check adds the checks.

Gavin
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /usr/local/cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.146
diff -c -p -r1.146 auth.c
*** src/backend/libpq/auth.c    6 Nov 2006 01:27:52 -0000       1.146
--- src/backend/libpq/auth.c    4 Dec 2006 13:47:05 -0000
*************** pg_krb5_recvauth(Port *port)
*** 216,221 ****
--- 217,225 ----
        krb5_ticket *ticket;
        char       *kusername;
  
+       if (get_role_line(port->user_name) == NULL)
+               return STATUS_ERROR;
+       
        ret = pg_krb5_init();
        if (ret != STATUS_OK)
                return ret;
Index: src/backend/libpq/hba.c
===================================================================
RCS file: /usr/local/cvsroot/pgsql/src/backend/libpq/hba.c,v
retrieving revision 1.157
diff -c -p -r1.157 hba.c
*** src/backend/libpq/hba.c     5 Nov 2006 22:42:08 -0000       1.157
--- src/backend/libpq/hba.c     4 Dec 2006 13:47:05 -0000
*************** authident(hbaPort *port)
*** 1589,1594 ****
--- 1589,1597 ----
  {
        char            ident_user[IDENT_USERNAME_MAX + 1];
  
+       if (get_role_line(port->user_name) == NULL)
+               return STATUS_ERROR;
+       
        switch (port->raddr.addr.ss_family)
        {
                case AF_INET:

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
       choose an index scan if your joining column's datatypes do not
       match

Reply via email to