Hi,
On 9/29/22 8:12 AM, Michael Paquier wrote:
On Wed, Sep 28, 2022 at 12:58:48PM +0200, Drouvot, Bertrand wrote:
I had a look at v5 and it does look good to me.
Okay, cool. I have spent some time today doing a last pass over it
and an extra round of tests. Things looked fine, so applied.
-
On Wed, Sep 28, 2022 at 12:58:48PM +0200, Drouvot, Bertrand wrote:
> I had a look at v5 and it does look good to me.
Okay, cool. I have spent some time today doing a last pass over it
and an extra round of tests. Things looked fine, so applied.
--
Michael
signature.asc
Description: PGP signatu
Hi,
On 9/28/22 5:28 AM, Michael Paquier wrote:
On Tue, Sep 27, 2022 at 03:38:49PM -0700, Jacob Champion wrote:
On 9/26/22 06:29, Drouvot, Bertrand wrote:
Since there are only internal clients to the API, I'd argue this makes
more sense as an Assert(authn_id != NULL), but I don't think it's a
de
On Tue, Sep 27, 2022 at 03:38:49PM -0700, Jacob Champion wrote:
> On 9/26/22 06:29, Drouvot, Bertrand wrote:
> Since there are only internal clients to the API, I'd argue this makes
> more sense as an Assert(authn_id != NULL), but I don't think it's a
> dealbreaker.
Using an assert() looks like a
On 9/26/22 06:29, Drouvot, Bertrand wrote:
> Please find attached V4 taking care of Jacob's previous comments.
> + /*
> + * InitializeSystemUser should already be called once we are sure that
> + * authn_id is not NULL (means auth_method is actually valid).
> + * But keep the te
Hi,
On 9/8/22 3:17 AM, Michael Paquier wrote:
On Wed, Sep 07, 2022 at 08:48:43AM -0700, Jacob Champion wrote:
We could pass the bare auth_method index, or update the documentation
for auth_method to state that it's guaranteed to be zero if authn_id is
NULL (and then enforce that).
c
Hi,
On 9/7/22 5:48 PM, Jacob Champion wrote:
On 9/7/22 07:46, Drouvot, Bertrand wrote:
Except the Nit above, that looks all good to me.
A few additional comments:
+assigned a database role. It is represented as
+auth_method:identity or
+NULL if the user has not been
On Wed, Sep 7, 2022 at 6:17 PM Michael Paquier wrote:
> >> + /* Initialize SystemUser now that MyClientConnectionInfo is
> >> restored. */
> >> + InitializeSystemUser(MyClientConnectionInfo.authn_id,
> >> +
> >> hba_authname(MyClientConn
On Wed, Sep 07, 2022 at 08:48:43AM -0700, Jacob Champion wrote:
> Also, this function's placement in the docs (with the System Catalog
> Information Functions) seems wrong to me. I think it should go up above
> in the Session Information Functions, with current_user et al.
Yeah, this had better us
On 9/7/22 07:46, Drouvot, Bertrand wrote:
> Except the Nit above, that looks all good to me.
A few additional comments:
> +assigned a database role. It is represented as
> +auth_method:identity or
> +NULL if the user has not been authenticated (for
> +example if h
On Fri, Aug 26, 2022 at 10:02:26AM +0900, Michael Paquier wrote:
> FWIW, I was also wondering about the need for all this initialization
> stanza and the extra SystemUser in TopMemoryContext. Now that we have
> MyClientConnectionInfo, I was thinking to just build the string in the
> SQL function a
On Thu, Aug 25, 2022 at 08:21:05PM +0200, Drouvot, Bertrand wrote:
> system_user() now returns a text and I moved it to miscinit.c in the new
> version attached (I think it makes more sense now).
+/* kluge to avoid including libpq/libpq-be.h here */
+struct ClientConnectionInfo;
+extern void Initi
On Wed, Aug 17, 2022 at 04:48:42PM +0200, Drouvot, Bertrand wrote:
> That way one could test the SYSTEM_USER behavior without the need to have
> kerberos enabled.
I was looking at this patch and noticed that SYSTEM_USER returns a
"name", meaning that the value would be automatically truncated at 6
On Fri, Aug 12, 2022 at 6:32 AM Drouvot, Bertrand wrote:
> It has been agreed that the work on this patch is on hold until the
> ClientConnectionInfo related work is finished (see the discussion in [1]).
>
> Having said that I'm attaching a new patch
> "v2-0004-system_user-implementation.patch" fo
On 2022-Jun-25, Drouvot, Bertrand wrote:
> diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
> index 0af130fbc5..8d761512fd 100644
> --- a/src/include/miscadmin.h
> +++ b/src/include/miscadmin.h
> @@ -364,6 +364,10 @@ extern void InitializeSessionUserIdStandalone(void);
> extern void
On Wed, Jun 22, 2022 at 9:28 AM Tom Lane wrote:
> Joe Conway writes:
> > On 6/22/22 11:52, Tom Lane wrote:
> >> I think a case could be made for ONLY returning non-null when authn_id
> >> represents some externally-verified identifier (OS user ID gotten via
> >> peer identification, Kerberos pri
On Wed, Jun 22, 2022 at 9:26 AM Joe Conway wrote:
> On 6/22/22 11:35, Jacob Champion wrote:
> > On Wed, Jun 22, 2022 at 8:10 AM Joe Conway wrote:
> Why would you want to do it differently than
> SessionUserId/OuterUserId/CurrentUserId? It is analogous, no?
Like I said, now there are two differen
On 6/22/22 12:28, Tom Lane wrote:
Joe Conway writes:
On 6/22/22 11:52, Tom Lane wrote:
I think a case could be made for ONLY returning non-null when authn_id
represents some externally-verified identifier (OS user ID gotten via
peer identification, Kerberos principal, etc).
But -1 on that.
Joe Conway writes:
> On 6/22/22 11:52, Tom Lane wrote:
>> I think a case could be made for ONLY returning non-null when authn_id
>> represents some externally-verified identifier (OS user ID gotten via
>> peer identification, Kerberos principal, etc).
> But -1 on that.
> I think any time we have
On 6/22/22 11:35, Jacob Champion wrote:
On Wed, Jun 22, 2022 at 8:10 AM Joe Conway wrote:
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -473,6 +473,7 @@ static OidAuthenticatedUserId = InvalidOid;
static OidSessionUserId = InvalidOid;
static Oid
On 6/22/22 11:52, Tom Lane wrote:
Jacob Champion writes:
On Wed, Jun 22, 2022 at 8:10 AM Joe Conway wrote:
In case port->authn_id is NULL then the patch is returning the SESSION_USER for
the SYSTEM_USER. Perhaps it should return NULL instead.
If the spec says that SYSTEM_USER "represents
Jacob Champion writes:
> On Wed, Jun 22, 2022 at 8:10 AM Joe Conway wrote:
>> In case port->authn_id is NULL then the patch is returning the SESSION_USER
>> for the SYSTEM_USER. Perhaps it should return NULL instead.
> If the spec says that SYSTEM_USER "represents the operating system
> user",
On Wed, Jun 22, 2022 at 8:10 AM Joe Conway wrote:
> On the contrary, I would argue that not having the identifier for the
> external "user" available is a security concern. Ideally you want to be
> able to trace actions inside Postgres to the actual user that invoked them.
If auditing is also the
Joe Conway writes:
> On 6/22/22 10:51, Tom Lane wrote:
>> My immediate guess would be that the SQL committee only intends
>> to deal in SQL role names and therefore SYSTEM_USER is defined
>> to return one of those, but I've not gone looking in the spec
>> to be sure.
> I only have a draft copy, b
On 6/22/22 10:51, Tom Lane wrote:
My immediate guess would be that the SQL committee only intends
to deal in SQL role names and therefore SYSTEM_USER is defined
to return one of those, but I've not gone looking in the spec
to be sure.
I only have a draft copy, but in SQL 2016 I find relatively
Joe Conway writes:
> On 6/22/22 09:49, Tom Lane wrote:
>> On what grounds do you argue that that's the appropriate meaning of
>> SYSTEM_USER?
> What else do you imagine it might mean?
I was hoping for some citation of the SQL spec.
> Here is SQL Server interpretation for example:
>"SYSTEM_U
On 6/22/22 09:49, Tom Lane wrote:
"Drouvot, Bertrand" writes:
Please find attached a patch proposal to make use of the SYSTEM_USER so
that it returns the authenticated identity (if any) (aka authn_id in the
Port struct).
On what grounds do you argue that that's the appropriate meaning of
SYS
"Drouvot, Bertrand" writes:
> Please find attached a patch proposal to make use of the SYSTEM_USER so
> that it returns the authenticated identity (if any) (aka authn_id in the
> Port struct).
On what grounds do you argue that that's the appropriate meaning of
SYSTEM_USER?
Hi hackers,
The SYSTEM_USER is a sql reserved word as mentioned in [1] and is
currently not implemented.
Please find attached a patch proposal to make use of the SYSTEM_USER so
that it returns the authenticated identity (if any) (aka authn_id in the
Port struct).
Indeed in some circumstanc
29 matches
Mail list logo
