database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-27 23:21:58 +03:00
Code Activity

Remove db_user_namespace.

Browse Source 
This feature was intended to be a temporary measure to support
per-database user names.  A better one hasn't materialized in the
~21 years since it was added, and nobody claims to be using it, so
let's just remove it.

Reviewed-by: Michael Paquier, Magnus Hagander
Discussion: https://postgr.es/m/20230630200509.GA2830328%40nathanxps13
Discussion: https://postgr.es/m/20230630215608.GD2941194%40nathanxps13
This commit is contained in:
Nathan Bossart
2023-07-17 11:44:59 -07:00
parent 2c2eb0d6b2
commit 884eee5bfb
8 changed files with 0 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
doc/src/sgml/client-auth.sgml
View File

@ -1253,11 +1253,6 @@ omicron bryanh guest1
attacks. attacks.
</para> </para>
<para>
The <literal>md5</literal> method cannot be used with
the <xref linkend="guc-db-user-namespace"/> feature.
</para>
<para> <para>
To ease transition from the <literal>md5</literal> method to the newer To ease transition from the <literal>md5</literal> method to the newer
SCRAM method, if <literal>md5</literal> is specified as a method SCRAM method, if <literal>md5</literal> is specified as a method

52
doc/src/sgml/config.sgml
View File

@ -1188,58 +1188,6 @@ include_dir 'conf.d'
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>db_user_namespace</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
This parameter enables per-database user names. It is off by default.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
</para>
<para>
If this is on, you should create users as <replaceable>username@dbname</replaceable>.
When <replaceable>username</replaceable> is passed by a connecting client,
<literal>@</literal> and the database name are appended to the user
name and that database-specific user name is looked up by the
server. Note that when you create users with names containing
<literal>@</literal> within the SQL environment, you will need to
quote the user name.
</para>
<para>
With this parameter enabled, you can still create ordinary global
users. Simply append <literal>@</literal> when specifying the user
name in the client, e.g., <literal>joe@</literal>. The <literal>@</literal>
will be stripped off before the user name is looked up by the
server.
</para>
<para>
<varname>db_user_namespace</varname> causes the client's and
server's user name representation to differ.
Authentication checks are always done with the server's user name
so authentication methods must be configured for the
server's user name, not the client's. Because
<literal>md5</literal> uses the user name as salt on both the
client and server, <literal>md5</literal> cannot be used with
<varname>db_user_namespace</varname>.
</para>
<note>
<para>
This feature is intended as a temporary measure until a
complete solution is found. At that time, this option will
be removed.
</para>
</note>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</sect2> </sect2>

5
src/backend/libpq/auth.c
View File

@ -873,11 +873,6 @@ CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
char *passwd; char *passwd;
int result; int result;
if (Db_user_namespace)
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
/* include the salt to use for computing the response */ /* include the salt to use for computing the response */
if (!pg_strong_random(md5Salt, 4)) if (!pg_strong_random(md5Salt, 4))
{ {

12
src/backend/libpq/hba.c
View File

@ -1741,19 +1741,7 @@ parse_hba_line(TokenizedAuthLine *tok_line, int elevel)
else if (strcmp(token->string, "reject") == 0) else if (strcmp(token->string, "reject") == 0)
parsedline->auth_method = uaReject; parsedline->auth_method = uaReject;
else if (strcmp(token->string, "md5") == 0) else if (strcmp(token->string, "md5") == 0)
{
if (Db_user_namespace)
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
errcontext("line %d of configuration file \"%s\"",
line_num, file_name)));
*err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
return NULL;
}
parsedline->auth_method = uaMD5; parsedline->auth_method = uaMD5;
}
else if (strcmp(token->string, "scram-sha-256") == 0) else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM; parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0) else if (strcmp(token->string, "pam") == 0)

19
src/backend/postmaster/postmaster.c
View File

@ -236,7 +236,6 @@ int AuthenticationTimeout = 60;
bool log_hostname; /* for ps display and logging */ bool log_hostname; /* for ps display and logging */
bool Log_connections = false; bool Log_connections = false;
bool Db_user_namespace = false;
bool enable_bonjour = false; bool enable_bonjour = false;
char *bonjour_name; char *bonjour_name;
@ -2272,24 +2271,6 @@ retry1:
if (port->database_name == NULL || port->database_name[0] == '\0') if (port->database_name == NULL || port->database_name[0] == '\0')
port->database_name = pstrdup(port->user_name); port->database_name = pstrdup(port->user_name);
if (Db_user_namespace)
{
/*
* If user@, it is a global user, remove '@'. We only want to do this
* if there is an '@' at the end and no earlier in the user string or
* they may fake as a local user of another database attaching to this
* database.
*/
if (strchr(port->user_name, '@') ==
port->user_name + strlen(port->user_name) - 1)
*strchr(port->user_name, '@') = '\0';
else
{
/* Append '@' and dbname */
port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
}
}
if (am_walsender) if (am_walsender)
MyBackendType = B_WAL_SENDER; MyBackendType = B_WAL_SENDER;
else else

9
src/backend/utils/misc/guc_tables.c
View File

@ -1545,15 +1545,6 @@ struct config_bool ConfigureNamesBool[] =
false, false,
NULL, NULL, NULL NULL, NULL, NULL
}, },
{
{"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Enables per-database user names."),
NULL
},
&Db_user_namespace,
false,
NULL, NULL, NULL
},
{ {
{"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT, {"default_transaction_read_only", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default read-only status of new transactions."), gettext_noop("Sets the default read-only status of new transactions."),

1
src/backend/utils/misc/postgresql.conf.sample
View File

@ -96,7 +96,6 @@
#authentication_timeout = 1min # 1s-600s #authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5 #password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096 #scram_iterations = 4096
#db_user_namespace = off
# GSSAPI using Kerberos # GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab' #krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'

2
src/include/libpq/pqcomm.h
View File

@ -103,8 +103,6 @@ typedef ProtocolVersion MsgType;
typedef uint32 PacketLen; typedef uint32 PacketLen;
extern PGDLLIMPORT bool Db_user_namespace;
/* /*
* In protocol 3.0 and later, the startup packet length is not fixed, but * In protocol 3.0 and later, the startup packet length is not fixed, but
* we set an arbitrary limit on it anyway. This is just to prevent simple * we set an arbitrary limit on it anyway. This is just to prevent simple