Re: allowing "map" for password auth methods with clientcert=verify-full

On Tue, 2021-10-26 at 18:16 -0400, Tom Lane wrote:
> Per "21.2. User Name Maps", I think that the map parameter is supposed
> to translate from the startup packet's user name to the SQL role name.

I may have misunderstood what you wrote, but IIUC the startup packet's
user name _is_ the SQL role name, even when using a map. The map is
just determining whether or not the authenticated ID (pulled from a
certificate, or from Kerberos, or etc.) is authorized to use that role
name. It's not a translation, because you can have a one-to-many user
mapping (where me@example.com is allowed to log in as `me` or
`postgres` or `admin` or...).

Please correct me if I've missed something -- I need to have it right
in my head, given my other patches in this area...

--Jacob