On Tue, 2021-10-26 at 18:16 -0400, Tom Lane wrote: > Per "21.2. User Name Maps", I think that the map parameter is supposed > to translate from the startup packet's user name to the SQL role name.
I may have misunderstood what you wrote, but IIUC the startup packet's user name _is_ the SQL role name, even when using a map. The map is just determining whether or not the authenticated ID (pulled from a certificate, or from Kerberos, or etc.) is authorized to use that role name. It's not a translation, because you can have a one-to-many user mapping (where m...@example.com is allowed to log in as `me` or `postgres` or `admin` or...). Please correct me if I've missed something -- I need to have it right in my head, given my other patches in this area... --Jacob
