On 5/13/21 7:38 PM, Bossart, Nathan wrote: > Hi hackers, > > I've attached a small patch that allows specifying only direct members > of a group in pg_hba.conf. The "+" prefix offered today matches both > direct and indirect role members, which may complicate some role > setups. For example, if you have one set of roles that are members of > the "pam" role and another set that are members of the "scram-sha-256" > role, granting membership in a PAM role to a SCRAM role might > inadvertently modify the desired authentication method for the > grantee. If only direct membership is considered, no such inadvertent > authentication method change would occur. > > I chose "&" as a new group name prefix for this purpose. This choice > seemed as good as any, but I'm open to changing it if anyone has > suggestions. For determining direct role membership, I added a new > function in acl.c that matches other related functions. I added a new > role cache type since it seemed to fit in reasonably well, but it seems > unlikely that there is any real performance benefit versus simply > open-coding the syscache lookup. > > I didn't see any existing authentication tests for groups at first > glance. If folks are interested in this functionality, I can work on > adding some tests for this stuff. >
Do we really want to be creating two classes of role membership? cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
