| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Thom Brown <thom(at)linux(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: db_user_namespace a "temporary measure" |
| Date: | 2014-03-11 16:23:16 |
| Message-ID: | 531F3874.2060509@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03/11/2014 09:57 AM, Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> On Tue, Mar 11, 2014 at 2:40 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Are you claiming there are no users, and if so, on what evidence?
>> I am claiming that I don't think anybody is using that, yes.
>> Based on the fact that I have *never* come across it on any system I've
>> come across since, well, forever. Except once I think, many years ago, when
>> someone had enabled it by mistake and needed my help to remove it...
> A slightly more scientific basis for that would be to ask on
> pgsql-general.
>
>> Or if someone wants to fix it properly of course :)
> Yeah, that's what we've been hoping for for 12 years. I stopped holding
> my breath awhile ago.
>
> Mind you, I wouldn't be unhappy to see it go away; it's a kluge and always
> has been. I'm just expecting lots of push-back if we try. And it's kind
> of hard to resist push-back when you don't have a substitute to offer.
>
>
Or we try to make it work. I don't think the idea is inherently bad, and
I know there are people (like ISPs) who would like to have it work
properly. Maybe in these days when most people are on dedicated VMs this
matters less, but I don't think shared database servers are totally dead
yet.
The docs say:
db_user_namespace causes the client's and server's user name
representation to differ. Authentication checks are always done with
the server's user name so authentication methods must be configured
for the server's user name, not the client's. Because md5 uses the
user name as salt on both the client and server, md5 cannot be used
with db_user_namespace.
Is that the only major issue? Why not have the server strip out the @db
part if this is on? If we made this an initdb-time setting rather than a
GUC then we'd remove the problems caused by turning this on and off. I'm
not sure what other problems that might cause, but it doesn't seem
totally intractable at first glance.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-03-11 16:37:25 | Re: db_user_namespace a "temporary measure" |
| Previous Message | Tom Lane | 2014-03-11 14:21:36 | Re: COPY table FROM STDIN doesn't show count tag |