Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pFqCU-00028d-Rt for pgsql-hackers@arkaria.postgresql.org; Thu, 12 Jan 2023 05:32:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pFqCT-0005yz-G0 for pgsql-hackers@arkaria.postgresql.org; Thu, 12 Jan 2023 05:32:29 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pFqCT-0005yq-71 for pgsql-hackers@lists.postgresql.org; Thu, 12 Jan 2023 05:32:29 +0000 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pFqCR-0007il-2T for pgsql-hackers@lists.postgresql.org; Thu, 12 Jan 2023 05:32:28 +0000 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id E4CD032009A5; Thu, 12 Jan 2023 00:32:22 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 12 Jan 2023 00:32:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1673501542; x=1673587942; bh=8O9GUqsC7u U7L5Z5cXo4CNmQwhXE1nRhWPI9ZPXs2/g=; b=DCYNfWjTDubJ4OEJPZ9B3E0wEC Y7fmjbL8nG7O/OOFMY7KiNsccIVe8rnMlPpS4s8DjK6fQMGDmhEGGYIvcHHiTrYg wFr1mf92i7b665WkPlOX4r6okZEoH0QOzkWQ3oQtwaUxQ8DkTrixWVCaKu4TJ9Iq RAmzXtQY8bagMa/2y8hwkvRxTH/KxksJNDpd9Xse+Ov6bGRWG4wJiUHoSTKgk2RR RED2Ik8eJY4qxzEYhcumi2Q1odqexEghNQURh9YvHWdLzOuJfX1TFuAg12+E4u5w PDe3XCtQ+ooTVz1R/fIs2EGQShHuQUCG7T7qXrOxICIBKTKPr2MXNBK1xlEw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1673501542; x=1673587942; bh=8O9GUqsC7uU7L5Z5cXo4CNmQwhXE 1nRhWPI9ZPXs2/g=; b=GwXZSpZMSVGZuYF4WY0Nb9cLr10dRDV+Bg/UOmqgugSU 1lO7/ijSEyoYyZD4qbakDDosA26WsFQcl9n5DI54pE3vDN+9idddzWJkw6c0wTIH wO4WXx5jzjS/2I53S6Rz73QcDqwsz4jYRNq4jVW2ssr2Y6hmrr9ElGckGG6Xmql1 ezgDqCq401harl1X9oCqQkKTz+CJRVL9ZoZ3TjDC8jiqhpGfCMDRi3VBMDZGg80s 9kBZrupgZdYnMWnvzvUHWA9CILnhY5IeyBdHd6op5Aa8UaLPWak9vUVfZckR4FNO WVcjlakQAQ/BYoTTbkNeX+W5gtwvJLIncIqdexkZXw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrleehgdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdejtddmnecujfgurhepfffhvfevuffkfhggtggujgesghdtreertddt vdenucfhrhhomhepofhitghhrggvlhcurfgrqhhuihgvrhcuoehmihgthhgrvghlsehprg hquhhivghrrdighiiiqeenucggtffrrghtthgvrhhnpeetleeifedufffhhfdtteelgeeg geffhfekueevteeigfduudevudetgfegiedvjeenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmihgthhgrvghlsehprghquhhivghrrdighiii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 12 Jan 2023 00:32:18 -0500 (EST) Date: Thu, 12 Jan 2023 14:32:15 +0900 From: Michael Paquier To: Jelte Fennema Cc: Jelte Fennema , "isaac.morland@gmail.com" , "pgsql-hackers@lists.postgresql.org" , Nathan Bossart , Andrew Dunstan Subject: Re: [EXTERNAL] Re: [PATCH] Support using "all" for the db user in pg_ident.conf Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Xv5kc6hmXPJv+ky2" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Xv5kc6hmXPJv+ky2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 11, 2023 at 03:22:35PM +0100, Jelte Fennema wrote: > The main uncertainty I have is if the case insensitivity check is > actually needed in check_role. It seems like a case insensitive > check against the database user shouldn't actually be necessary. > I only understand the need for the case insensitive check against > the system user. But I have too little experience with LDAP/kerberos > to say for certain. So for now I kept the existing behaviour to > not regress. if (!identLine->pg_user->quoted && + identLine->pg_user->string[0] != '+' && + !token_is_keyword(identLine->pg_user, "all") && + !token_has_regexp(identLine->pg_user) && If we finish by allowing a regexp for the PG user in an IdentLine, I would choose to drop "all" entirely. Simpler is better when it comes to authentication, though we are working on getting things more.. Complicated. + Quoting a database-username containing + \1 makes the \1 + lose its special meaning. 0002 and 0003 need careful thinking. +# Success as the regular expression matches and \1 is replaced +reset_pg_ident($node, 'mypeermap', qq{/^$system_user(.*)\$}, + 'test\1mapuser'); +test_role( + $node, + qq{testmapuser}, + 'peer', + 0, + 'with regular expression in user name map with \1', + log_like => + [qr/connection authenticated: identity="$system_user" method=peer/]); Relying on kerberos to check the substitution pattern is a bit annoying.. I would be really tempted to extract and commit that independently of the rest, actually, to provide some coverage of the substitution case in the peer test. > The patchset also contains 3 preparatory patches with two refactoring > passes and one small bugfix + test additions. Applied 0001, which looked fine and was an existing issue. At the end, I had no issues with the names you suggested. -- Michael --Xv5kc6hmXPJv+ky2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmO/m18ACgkQnvQgOdby QH1ENA/+NSIQJ0/Z2XuYcc1gMR1YyK6vBogAmXvlvREZo+imt/J+o5t60ni3PXFX +vDZVHoVZWmfOLvWP+JfZeqR36eInLkN925vCk1yOq4Mu1RZNIOAGtv09Y8sPGVZ 2WqPNv1SPyKCQXmlP8VLi/ylkn8Vl8fCIWXQx9SwBkC0rmOY2eaocsyIeqviqUVh HVrqs9qT7rA/p4XlsdmWMo4SGCVfG9pM/LGMgY2i+yGHjwuHmqoXYFbpzQv1IElj klHaVchi0CZzaIg4vjI95r1G/ulI4ciRXprMCJ4Qq4+BX9+xACm22kggMLgB1QgQ +rTrU1JJgidLzvxDHbXm/hMIkiqIvZ//ramAcGQO2F7tVaAuLpDmPV5JKBO/O+Nh 1vL4Eazkwu64N+EFlhSDxiGQwzuZTdTYi9aLv0BWGwVKB+DrY9EFR9ceGnesAlKU DXAQu3Gafyr0ZYWalBfd/+OYamAWrbNs0zmpl/ZqnC/7ZY+YPnGaHScMyI3TLDWl pQpFugIAoxbojAAA6ftnjcoPhU/cQQC+3Q1pTGs8q3ivG8zcCNsp0m+5Npt0HURx O3/Km8D5aStgR6iSKToRRK8jCHPyqIUOhKItr/9HEIey/+fp1Q0LOcAF6Fvluh2U /Bgq47C2NKRNOEAV7glefzT0BYRxE4lozZB/8ryIsSyAaXwsbVI= =mj8k -----END PGP SIGNATURE----- --Xv5kc6hmXPJv+ky2--