($INBOX_DIR/description missing)
help / color / mirror / Atom feedRe: Various typo fixes
8+ messages / 2 participants
[nested] [flat]
* Re: Various typo fixes
@ 2023-04-12 04:05 Michael Paquier <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Michael Paquier @ 2023-04-12 04:05 UTC (permalink / raw)
To: Justin Pryzby <[email protected]>; +Cc: Thom Brown <[email protected]>; [email protected]
On Tue, Apr 11, 2023 at 05:15:29PM -0500, Justin Pryzby wrote:
> The first attachment fixes for typos in user-facing docs new in v16,
> combining Thom's changes with the ones that I'd found. If that's
> confusing, I'll resend my patches separately.
>
> The other four numbered patches could use extra review.
In v16-typos.diff..
- <literal>buffered</literal>, the decoding will stream or serialize
+ <literal>buffered</literal>, decoding will stream or serialize
The could be referred as "the decoding context", as well?
- not starting with a <literal>.</literal> and ending with
- <literal>.conf</literal> will be included. Multiple files within an include
+ ending with <literal>.conf</literal> and not starting with a <literal>.</literal>
+ will be included. Multiple files within an include
In 0001.. Not sure that this is an improvement, switching the
starting and ending parts.
- include records. These records only contain two fields:
+ include directives. Include directives only contain two fields:
[...]
- included. The file or directory can be a relative of absolute path, and can
+ included. The file or directory can be a relative or absolute path, and can
Yep, indeed.
We've discussed quite a lot about the current wording that 0004 aims
to change, FWIW.
I have applied a first batch of fixes that relate to the areas
introduced by myself, plus a few extras. The changes for
pg_log_standby_snapshot() mostly left out for now (except one simple
change in logicaldecoding.sgml).
Most of the changes in 0002 and 0003 seem rather OK at quick glance,
but perhaps their respective authors would like to weigh in.
--
Michael
Attachments:
[application/pgp-signature] signature.asc (833B, ../../[email protected]/2-signature.asc)
download
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v1 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
7 files changed, 100 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 4c49393fc5..33a13fdf32 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
/*
* Truncate given database and user names to length of a Postgres name.
* This avoids lookup failures when overlength names are given.
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 71e27f8eb0..25d9008bb6 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--Kj7319i9nmIyA2yE--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v4 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/client-auth.sgml | 5 --
doc/src/sgml/config.sgml | 52 -------------------
src/backend/commands/variable.c | 15 ++++++
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 16 ++++--
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
src/include/utils/guc_hooks.h | 1 +
.../unsafe_tests/expected/guc_privs.out | 4 ++
.../modules/unsafe_tests/sql/guc_privs.sql | 3 ++
12 files changed, 35 insertions(+), 100 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..6c95f0df1e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks.
</para>
- <para>
- The <literal>md5</literal> method cannot be used with
- the <xref linkend="guc-db-user-namespace"/> feature.
- </para>
-
<para>
To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c
index f0f2e07655..b6a2fa2512 100644
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@@ -1157,6 +1157,21 @@ check_bonjour(bool *newval, void **extra, GucSource source)
return true;
}
+bool
+check_db_user_namespace(bool *newval, void **extra, GucSource source)
+{
+ if (*newval)
+ {
+ /* check the GUC's definition for an explanation */
+ GUC_check_errcode(ERRCODE_FEATURE_NOT_SUPPORTED);
+ GUC_check_errmsg("db_user_namespace is not supported");
+
+ return false;
+ }
+
+ return true;
+}
+
bool
check_default_with_oids(bool *newval, void **extra, GucSource source)
{
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 0b1de9efb2..9c8ec779f9 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
if (am_walsender)
MyBackendType = B_WAL_SENDER;
else
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index f8ef87d26d..94e87b7bd4 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -505,6 +505,7 @@ bool check_function_bodies = true;
*/
bool default_with_oids = false;
bool session_auth_is_superuser;
+bool Db_user_namespace = false;
int log_min_error_statement = ERROR;
int log_min_messages = WARNING;
@@ -1534,14 +1535,21 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
+
+ /*
+ * db_user_namespace was removed in PostgreSQL 17, but we tolerate the
+ * parameter being set to false to avoid unnecessarily breaking older dump
+ * files.
+ */
{
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
+ {"db_user_namespace", PGC_SIGHUP, COMPAT_OPTIONS_PREVIOUS,
+ gettext_noop("db_user_namespace is no longer supported; this can only be false."),
+ NULL,
+ GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE
},
&Db_user_namespace,
false,
- NULL, NULL, NULL
+ check_db_user_namespace, NULL, NULL
},
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
diff --git a/src/include/utils/guc_hooks.h b/src/include/utils/guc_hooks.h
index 2ecb9fc086..c51d44ec15 100644
--- a/src/include/utils/guc_hooks.h
+++ b/src/include/utils/guc_hooks.h
@@ -49,6 +49,7 @@ extern bool check_cluster_name(char **newval, void **extra, GucSource source);
extern const char *show_data_directory_mode(void);
extern bool check_datestyle(char **newval, void **extra, GucSource source);
extern void assign_datestyle(const char *newval, void *extra);
+extern bool check_db_user_namespace(bool *newval, void **extra, GucSource source);
extern bool check_default_table_access_method(char **newval, void **extra,
GucSource source);
extern bool check_default_tablespace(char **newval, void **extra,
diff --git a/src/test/modules/unsafe_tests/expected/guc_privs.out b/src/test/modules/unsafe_tests/expected/guc_privs.out
index f43a1da214..17f7a0c980 100644
--- a/src/test/modules/unsafe_tests/expected/guc_privs.out
+++ b/src/test/modules/unsafe_tests/expected/guc_privs.out
@@ -40,6 +40,10 @@ RESET autovacuum; -- fail, requires reload
ERROR: parameter "autovacuum" cannot be changed now
ALTER SYSTEM SET autovacuum = OFF; -- ok
ALTER SYSTEM RESET autovacuum; -- ok
+ALTER SYSTEM SET db_user_namespace = OFF; -- ok
+ALTER SYSTEM SET db_user_namespace = ON; -- fail, cannot be changed
+ERROR: db_user_namespace is not supported
+ALTER SYSTEM RESET db_user_namespace; -- ok
-- PGC_SUSET
SET lc_messages = 'C'; -- ok
RESET lc_messages; -- ok
diff --git a/src/test/modules/unsafe_tests/sql/guc_privs.sql b/src/test/modules/unsafe_tests/sql/guc_privs.sql
index 7a4fb24b9d..233ce1a5ac 100644
--- a/src/test/modules/unsafe_tests/sql/guc_privs.sql
+++ b/src/test/modules/unsafe_tests/sql/guc_privs.sql
@@ -31,6 +31,9 @@ SET autovacuum = OFF; -- fail, requires reload
RESET autovacuum; -- fail, requires reload
ALTER SYSTEM SET autovacuum = OFF; -- ok
ALTER SYSTEM RESET autovacuum; -- ok
+ALTER SYSTEM SET db_user_namespace = OFF; -- ok
+ALTER SYSTEM SET db_user_namespace = ON; -- fail, cannot be changed
+ALTER SYSTEM RESET db_user_namespace; -- ok
-- PGC_SUSET
SET lc_messages = 'C'; -- ok
RESET lc_messages; -- ok
--
2.25.1
--jRHKVT23PllUwdXP--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v1 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
7 files changed, 100 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 4c49393fc5..33a13fdf32 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
/*
* Truncate given database and user names to length of a Postgres name.
* This avoids lookup failures when overlength names are given.
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 71e27f8eb0..25d9008bb6 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--Kj7319i9nmIyA2yE--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v2 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/client-auth.sgml | 5 --
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
8 files changed, 105 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..6c95f0df1e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks.
</para>
- <para>
- The <literal>md5</literal> method cannot be used with
- the <xref linkend="guc-db-user-namespace"/> feature.
- </para>
-
<para>
To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 4c49393fc5..33a13fdf32 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
/*
* Truncate given database and user names to length of a Postgres name.
* This avoids lookup failures when overlength names are given.
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 71e27f8eb0..25d9008bb6 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--X1bOJ3K7DJ5YkBrT--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v3 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/client-auth.sgml | 5 --
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
8 files changed, 105 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..6c95f0df1e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks.
</para>
- <para>
- The <literal>md5</literal> method cannot be used with
- the <xref linkend="guc-db-user-namespace"/> feature.
- </para>
-
<para>
To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 0b1de9efb2..9c8ec779f9 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
if (am_walsender)
MyBackendType = B_WAL_SENDER;
else
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index f8ef87d26d..0c38af3f69 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--CE+1k2dSO48ffgeK--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v2 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/client-auth.sgml | 5 --
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
8 files changed, 105 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..6c95f0df1e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks.
</para>
- <para>
- The <literal>md5</literal> method cannot be used with
- the <xref linkend="guc-db-user-namespace"/> feature.
- </para>
-
<para>
To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 4c49393fc5..33a13fdf32 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
/*
* Truncate given database and user names to length of a Postgres name.
* This avoids lookup failures when overlength names are given.
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 71e27f8eb0..25d9008bb6 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--X1bOJ3K7DJ5YkBrT--
^ permalink raw reply [nested|flat] 8+ messages in thread
* [PATCH v3 1/1] remove db_user_namespace
@ 2023-06-30 19:46 Nathan Bossart <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: Nathan Bossart @ 2023-06-30 19:46 UTC (permalink / raw)
---
doc/src/sgml/client-auth.sgml | 5 --
doc/src/sgml/config.sgml | 52 -------------------
src/backend/libpq/auth.c | 5 --
src/backend/libpq/hba.c | 12 -----
src/backend/postmaster/postmaster.c | 19 -------
src/backend/utils/misc/guc_tables.c | 9 ----
src/backend/utils/misc/postgresql.conf.sample | 1 -
src/include/libpq/pqcomm.h | 2 -
8 files changed, 105 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..6c95f0df1e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks.
</para>
- <para>
- The <literal>md5</literal> method cannot be used with
- the <xref linkend="guc-db-user-namespace"/> feature.
- </para>
-
<para>
To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 6262cb7bb2..e6cea8ddfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
</variablelist>
</sect2>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..65d452f099 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd;
int result;
- if (Db_user_namespace)
- ereport(FATAL,
- (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
/* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4))
{
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f89f138f3c..5d4ddbb04d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0)
- {
- if (Db_user_namespace)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, file_name)));
- *err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
- return NULL;
- }
parsedline->auth_method = uaMD5;
- }
else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 0b1de9efb2..9c8ec779f9 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */
bool Log_connections = false;
-bool Db_user_namespace = false;
bool enable_bonjour = false;
char *bonjour_name;
@@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name);
- if (Db_user_namespace)
- {
- /*
- * If user@, it is a global user, remove '@'. We only want to do this
- * if there is an '@' at the end and no earlier in the user string or
- * they may fake as a local user of another database attaching to this
- * database.
- */
- if (strchr(port->user_name, '@') ==
- port->user_name + strlen(port->user_name) - 1)
- *strchr(port->user_name, '@') = '\0';
- else
- {
- /* Append '@' and dbname */
- port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
- }
- }
-
if (am_walsender)
MyBackendType = B_WAL_SENDER;
else
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index f8ef87d26d..0c38af3f69 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -1534,15 +1534,6 @@ struct config_bool ConfigureNamesBool[] =
false,
NULL, NULL, NULL
},
- {
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
- gettext_noop("Enables per-database user names."),
- NULL
- },
- &Db_user_namespace,
- false,
- NULL, NULL, NULL
- },
{
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e4c0269fa3..c768af9a73 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
-#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index c85090259d..3da00f7983 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen;
-extern PGDLLIMPORT bool Db_user_namespace;
-
/*
* In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple
--
2.25.1
--CE+1k2dSO48ffgeK--
^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2023-06-30 19:46 UTC | newest]
Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2023-04-12 04:05 Re: Various typo fixes Michael Paquier <[email protected]>
2023-06-30 19:46 [PATCH v1 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v4 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v1 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v2 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v3 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v2 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
2023-06-30 19:46 [PATCH v3 1/1] remove db_user_namespace Nathan Bossart <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox