Re: elog(FATAL)ing non-existent roles during client

On Thu, 30 Nov 2006, Tom Lane wrote:

> Gavin Sherry <swm@linuxworld.com.au> writes:
> > I wonder if we should check if the role exists for the other
> > authentication methods too? get_role_line() should be very cheap and it
> > would prevent unnecessary authentication work if we did it before
> > contacting, for example, the client ident server. Even with trust, it
> > would save work because otherwise we do not check if the user exists until
> > InitializeSessionUserId(), at which time we're set up our proc entry etc.
>
> This only saves work if the supplied ID is in fact invalid, which one
> would surely think isn't the normal case; otherwise it costs more.

Yes.

> I could see doing this in the ident path, because contacting a remote
> ident server is certainly expensive on both sides.  I doubt it's a good
> idea in the trust case.

Agreed. How about Kerberos too, applying the same logic?

Gavin