Re: pam auth - add rhost item

On 16-10-2015 10:37, Robert Haas wrote:
> - Did he implement this correctly?>
> - Would it break anything?>
I did not review the patch.

> - Are there lots of other knobs we should expose too instead of just one?>
We are providing PAM_USER and PAM_CONV. The complete list of options are 
[1]. Maybe PAM_RUSER? BTW, we could use pg_ident.conf to map user foo 
(app) to user bar (PAM).

> - What would it take to turn this into a committable patch?>
Review?

> - Would the cost of exposing this and perhaps some other knobs cost
> too much in performance for the number of people it would make happy?>
No.

> - If so, should the behavior be GUC-controlled or is there
> justification for arguing we should drop the whole patch?
>
The patch always set PAM_RHOST, ie. it means I can't disable it (at the 
postgres side). Is it a problem? Of course the PAM module can provide a 
way to ignore it but it is not our business.

> I feel like we've got somebody new showing up to our community with an
> idea that is not obviously stupid.  If we want such people to stick
> around, we should try to give their ideas a fair shake.
>
I share the same feeling. I wasn't trying to throw a cold water on it.


[1] http://pubs.opengroup.org/onlinepubs/8329799/pam_set_item.htm


--    Euler Taveira                   Timbira - http://www.timbira.com.br/   PostgreSQL: Consultoria, Desenvolvimento,
Suporte24x7 e Treinamento