On Wed, 2022-03-02 at 09:18 +0100, Peter Eisentraut wrote:
> On 01.03.22 23:05, Jacob Champion wrote:
> > On Tue, 2022-03-01 at 19:56 +0100, Peter Eisentraut wrote:
> > > This patch contains no documentation. I'm having a hard time
> > > understanding what the name "session_authn_id" is supposed to convey.
> > > The comment for the Port.authn_id field says this is the "system
> > > username", which sounds like a clearer terminology.
> >
> > "System username" may help from an internal development perspective,
> > especially as it relates to pg_ident.conf, but I don't think that's
> > likely to be a useful descriptor to an end user. (I don't think of a
> > client certificate's Subject Distinguished Name as a "system
> > username".) Does my attempt in v5 help?
>
> Yeah, maybe there are better names. But I have no idea what the letter
> combination "authn_id" is supposed to stand for. Is it an
> "authentication identifier"? What does it identify?
Authenticated identity, but yeah, that's the gist. ("AuthN" being a
standard-ish way to differentiate authentication from "AuthZ"
authorization.)
It's meant to uniquely identify the end user in the case of usermaps,
where multiple separate entities might log in using the same role. It
is distinct from the authorized role name, though they might be exactly
the same in many common setups. And it's not set at all if no
authentication was done.
> Maybe I'm missing something here, but I don't find it clear.
I just used the internal name, but if we want to make it more clear
then now would be a good time. Do you have any suggestions? Does
expanding the name (pg_session_authenticated_id, or even
pg_session_authenticated_identity) help?
--Jacob