Re: Keystone auth in PostgreSQL

Daniel Farina <daniel@heroku.com> writes:
> On Thu, Mar 15, 2012 at 6:38 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Our standard answer when someone asks for $random-auth-method is to
>> suggest that they find a PAM module for it and use PAM.  I wouldn't
>> want to claim that PAM is a particularly great interface for this
>> sort of thing, but it's out there and I don't know of any serious
>> competition.

> I considered writing a PAM module to do some stuff at one time (to try
> to solve the two-passwords-for-a-user problem), but the non-intrinsic
> complexity to perform pretty simple tasks in the whole thing is pretty
> terrible -- it ended up being more attractive to do fairly ugly role
> mangling in Postgres's own authentication system.  And, like you, I
> don't know of any serious competition to PAM in performing simple
> authentication delegations.

Yeah, I've only had to touch our PAM interface a couple of times, but
each time I came away thinking "my goodness, that's ugly and over-
complicated".

I'm not volunteering to build something better, though.
        regards, tom lane