krb_match_realm patch

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Subject: krb_match_realm patch
Date: 2007-11-01 14:41:51
Message-ID: 20071101144151.GU5031@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:

Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'

Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5

Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'

Note that using multiple realms implies either no overlap, or that
overlap means the same person.

Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user(at)REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user(at)REALM and then just roles when a given user exists in multiple
realms.

I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).

Thanks,

Stephen

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Hiroshi Saito 2007-11-01 14:46:11 Calculation of a shared memory
Previous Message Jeff Amiel 2007-11-01 14:01:55 Re: AutoVacuum Behaviour Question