> I needed to do that for the web database that I'm setting up. We

have > 20000 users and each (potentially) needs a separate database
which is > only accessible to them. Rather than having 20000 lines
in pg_hba.conf, > I've patched Postgres so that the special token
"sameuser" in the > database field of pg_hba.conf allows access
only to the username which > is connecting.

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7cf875222ad24a285c0d6772b4340093b8f1e367..4aee9b9197a8bf5cc825baf950a15f56962c19a9 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *   $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.27 1998/02/26 04:31:42 momjian Exp $
+ *   $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.28 1998/06/13 04:27:14 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -419,8 +419,8 @@ be_recvauth(Port *port)
     * combination.
     */
 
-   if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,
-                         &port->auth_method) != STATUS_OK)
+   if (hba_getauthmethod(&port->raddr, port->user, port->database,
+           port->auth_arg, &port->auth_method) != STATUS_OK)
        PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");
 
    else if (PG_PROTOCOL_MAJOR(port->proto) == 0)

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 10a2acdc27b85b90494a5937295e6ff949b6243a..018a3864c972a3e8393c448beec222e830df52f3 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *   $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.30 1998/03/15 08:18:03 scrappy Exp $
+ *   $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.31 1998/06/13 04:27:15 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -154,8 +154,8 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char auth_arg[],
 
 
 static void
-process_hba_record(FILE *file, SockAddr *raddr, const char database[],
-                  bool *matches_p, bool *error_p,
+process_hba_record(FILE *file, SockAddr *raddr, const char user[],
+                  const char database[], bool *matches_p, bool *error_p,
                   UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
@@ -210,7 +210,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
         * sort of connection, ignore it.
         */
 
-       if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+       if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+           (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
            raddr->sa.sa_family != AF_UNIX)
            return;
    }
@@ -269,7 +270,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
         * sort of connection, ignore it.
         */
 
-       if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+       if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+           (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
            raddr->sa.sa_family != AF_INET ||
            ((file_ip_addr.s_addr ^ raddr->in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
            return;
@@ -297,9 +299,9 @@ syntax:
 
 
 static void
-process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
-                        bool *host_ok_p, UserAuth *userauth_p,
-                        char auth_arg[])
+process_open_config_file(FILE *file, SockAddr *raddr, const char user[],
+                        const char database[], bool *host_ok_p,
+                        UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
   This function does the same thing as find_hba_entry, only with
@@ -333,7 +335,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
                read_through_eol(file);
            else
            {
-               process_hba_record(file, raddr, database,
+               process_hba_record(file, raddr, user, database,
                             &found_entry, &error, userauth_p, auth_arg);
            }
        }
@@ -353,8 +355,8 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 
 
 static void
-find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
-              UserAuth *userauth_p, char auth_arg[])
+find_hba_entry(SockAddr *raddr, const char user[], const char database[],
+              bool *host_ok_p, UserAuth *userauth_p, char auth_arg[])
 {
 /*--------------------------------------------------------------------------
   Read the config file and find an entry that allows connection from
@@ -428,7 +430,7 @@ find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
        }
        else
        {
-           process_open_config_file(file, raddr, database, host_ok_p, userauth_p,
+           process_open_config_file(file, raddr, user, database, host_ok_p, userauth_p,
                                     auth_arg);
            FreeFile(file);
        }
@@ -1054,8 +1056,8 @@ GetCharSetByHost(char TableName[], int host, const char DataDir[])
 #endif
 
 extern int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-                 UserAuth *auth_method)
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+                 char *auth_arg, UserAuth *auth_method)
 {
 /*---------------------------------------------------------------------------
   Determine what authentication method should be used when accessing database
@@ -1066,7 +1068,7 @@ hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
 
    host_ok = false;
 
-   find_hba_entry(raddr, database, &host_ok, auth_method, auth_arg);
+   find_hba_entry(raddr, user, database, &host_ok, auth_method, auth_arg);
 
    return (host_ok ? STATUS_OK : STATUS_ERROR);
 }

diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index c526e3b7bde91039b0b70ebd223c8e035f42892e..268649afada78cd5c11f4482dba8f0870c07b875 100644 (file)
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -39,8 +39,9 @@
 # 
 #   host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
 # 
-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all 
-# databases.
+# DBNAME is the name of a PostgreSQL database, "all" to indicate all 
+# databases, or "sameuser" to restrict a user's access to a database
+# with the same user name.
 # 
 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
 # mask to identify a set of hosts.  These hosts are allowed to connect to 

diff --git a/src/backend/parser/gram.c b/src/backend/parser/gram.c
index 78828cd74b2413375cda56cbee57f0cf8cc3eab6..919454de1af21fefcd923214b11e4889eacdf2a8 100644 (file)
--- a/src/backend/parser/gram.c
+++ b/src/backend/parser/gram.c
@@ -218,7 +218,7 @@
  *
  *
  * IDENTIFICATION
- *   $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.11 1998/05/12 17:46:46 momjian Exp $
+ *   $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.12 1998/06/13 04:27:15 momjian Exp $
  *
  * HISTORY
  *   AUTHOR            DATE            MAJOR EVENT

diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8900c6f34f856c276ef4d57ef45fb11502278ff7..322c3e0e51f1bb3635b966ac5dc01eae4049c4ba 100644 (file)
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
  *   Interface to hba.c
  *
  *
- * $Id: hba.h,v 1.8 1998/02/26 04:41:43 momjian Exp $
+ * $Id: hba.h,v 1.9 1998/06/13 04:27:18 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -51,8 +51,8 @@ typedef enum UserAuth
 } UserAuth;
 
 int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-                 UserAuth *auth_method);
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+                 char *auth_arg, UserAuth *auth_method);
 int
 authident(struct sockaddr_in * raddr, struct sockaddr_in * laddr,
          const char postgres_username[], const char auth_arg[]);