Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitefb6f4a

Browse files
committed
Support the same patterns for pg-user in pg_ident.conf as in pg_hba.conf
While pg_hba.conf has support for non-literal username matches, andthis commit extends the capabilities that are supported for thePostgreSQL user listed in an ident entry part of pg_ident.conf, withsupport for:1. The "all" keyword, where all the requested users are allowed.2. Membership checks using the + prefix.3. Using a regex to match against multiple roles.1. is a feature that has been requested by Jelte Fennema, 2. somethingthat has been mentioned independently by Andrew Dunstan, and 3. issomething I came up with while discussing how to extend the first one,whose implementation is facilitated by8fea868.This allows matching certain system users against many differentpostgres users with a single line in pg_ident.conf. Without this, onewould need one line for each of the postgres users that a system usercan log in as, which can be cumbersome to maintain.Tests are added to the TAP test of peer authentication to providecoverage for all that.Note that this introduces a set of backward-incompatible changes to beable to detect the new patterns, for the following cases:- A role named "all".- A role prefixed with '+' characters, which is something that would nothave worked in HBA entries anyway.- A role prefixed by a slash character, similarly to8fea868.Any of these can be still be handled by using quotes in the Postgresrole defined in an ident entry.A huge advantage of this change is that the code applies the same checksfor the Postgres roles in HBA and ident entries, via the common routinecheck_role().**This compatibility change should be mentioned in the release notes.**Author: Jelte FennemaDiscussion:https://postgr.es/m/DBBPR83MB0507FEC2E8965012990A80D0F7FC9@DBBPR83MB0507.EURPRD83.prod.outlook.com
1 parent74739d1 commitefb6f4a

File tree

3 files changed

+246
-39
lines changed

3 files changed

+246
-39
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -941,7 +941,22 @@ local db1,db2,@demodbs all md5
941941
implying that they are equivalent. The connection will be allowed if
942942
there is any map entry that pairs the user name obtained from the
943943
external authentication system with the database user name that the
944-
user has requested to connect as.
944+
user has requested to connect as. The value <literal>all</literal>
945+
can be used as the <replaceable>database-username</replaceable> to specify
946+
that if the <replaceable>system-user</replaceable> matches, then this user
947+
is allowed to log in as any of the existing database users. Quoting
948+
<literal>all</literal> makes the keyword lose its special meaning.
949+
</para>
950+
<para>
951+
If the <replaceable>database-username</replaceable> begins with a
952+
<literal>+</literal> character, then the operating system user can login as
953+
any user belonging to that role, similarly to how user names beginning with
954+
<literal>+</literal> are treated in <literal>pg_hba.conf</literal>.
955+
Thus, a <literal>+</literal> mark means <quote>match any of the roles that
956+
are directly or indirectly members of this role</quote>, while a name
957+
without a <literal>+</literal> mark matches only that specific role. Quoting
958+
a username starting with a <literal>+</literal> makes the
959+
<literal>+</literal> lose its special meaning.
945960
</para>
946961
<para>
947962
If the <replaceable>system-username</replaceable> field starts with a slash (<literal>/</literal>),
@@ -964,6 +979,16 @@ mymap /^(.*)@otherdomain\.com$ guest
964979
<literal>\1</literal> <emphasis>does not</emphasis> make
965980
<literal>\1</literal> lose its special meaning.
966981
</para>
982+
<para>
983+
If the <replaceable>database-username</replaceable> field starts with
984+
a slash (<literal>/</literal>), the remainder of the field is treated
985+
as a regular expression (see <xref linkend="posix-syntax-details"/>
986+
for details of <productname>PostgreSQL</productname>'s regular
987+
expression syntax. It is not possible to use <literal>\1</literal>
988+
to use a capture from regular expression on
989+
<replaceable>system-username</replaceable> for a regular expression
990+
on <replaceable>database-username</replaceable>.
991+
</para>
967992

968993
<tip>
969994
<para>

‎src/backend/libpq/hba.c

Lines changed: 67 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -73,8 +73,10 @@ typedef struct
7373
}tokenize_error_callback_arg;
7474

7575
#definetoken_has_regexp(t)(t->regex != NULL)
76+
#definetoken_is_member_check(t)(!t->quoted && t->string[0] == '+')
7677
#definetoken_is_keyword(t,k)(!t->quoted && strcmp(t->string, k) == 0)
7778
#definetoken_matches(t,k) (strcmp(t->string, k) == 0)
79+
#definetoken_matches_insensitive(t,k) (pg_strcasecmp(t->string, k) == 0)
7880

7981
/*
8082
* Memory context holding the list of TokenizedAuthLines when parsing
@@ -995,18 +997,19 @@ is_member(Oid userid, const char *role)
995997
*
996998
* Each AuthToken listed is checked one-by-one. Keywords are processed
997999
* first (these cannot have regular expressions), followed by regular
998-
* expressions (if any) and the exact match.
1000+
* expressions (if any), the case-insensitive match (if requested) and
1001+
* the exact match.
9991002
*/
10001003
staticbool
1001-
check_role(constchar*role,Oidroleid,List*tokens)
1004+
check_role(constchar*role,Oidroleid,List*tokens,boolcase_insensitive)
10021005
{
10031006
ListCell*cell;
10041007
AuthToken*tok;
10051008

10061009
foreach(cell,tokens)
10071010
{
10081011
tok=lfirst(cell);
1009-
if (!tok->quoted&&tok->string[0]=='+')
1012+
if (token_is_member_check(tok))
10101013
{
10111014
if (is_member(roleid,tok->string+1))
10121015
return true;
@@ -1018,6 +1021,11 @@ check_role(const char *role, Oid roleid, List *tokens)
10181021
if (regexec_auth_token(role,tok,0,NULL)==REG_OKAY)
10191022
return true;
10201023
}
1024+
elseif (case_insensitive)
1025+
{
1026+
if (token_matches_insensitive(tok,role))
1027+
return true;
1028+
}
10211029
elseif (token_matches(tok,role))
10221030
return true;
10231031
}
@@ -2614,7 +2622,7 @@ check_hba(hbaPort *port)
26142622
hba->databases))
26152623
continue;
26162624

2617-
if (!check_role(port->user_name,roleid,hba->roles))
2625+
if (!check_role(port->user_name,roleid,hba->roles, false))
26182626
continue;
26192627

26202628
/* Found a record that matched! */
@@ -2804,7 +2812,7 @@ parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
28042812

28052813
/*
28062814
* Now that the field validation is done, compile a regex from the user
2807-
*token, if necessary.
2815+
*tokens, if necessary.
28082816
*/
28092817
if (regcomp_auth_token(parsedline->system_user,file_name,line_num,
28102818
err_msg,elevel))
@@ -2813,6 +2821,13 @@ parse_ident_line(TokenizedAuthLine *tok_line, int elevel)
28132821
returnNULL;
28142822
}
28152823

2824+
if (regcomp_auth_token(parsedline->pg_user,file_name,line_num,
2825+
err_msg,elevel))
2826+
{
2827+
/* err_msg includes the error to report */
2828+
returnNULL;
2829+
}
2830+
28162831
returnparsedline;
28172832
}
28182833

@@ -2827,13 +2842,18 @@ check_ident_usermap(IdentLine *identLine, const char *usermap_name,
28272842
constchar*pg_user,constchar*system_user,
28282843
boolcase_insensitive,bool*found_p,bool*error_p)
28292844
{
2845+
Oidroleid;
2846+
28302847
*found_p= false;
28312848
*error_p= false;
28322849

28332850
if (strcmp(identLine->usermap,usermap_name)!=0)
28342851
/* Line does not match the map name we're looking for, so just abort */
28352852
return;
28362853

2854+
/* Get the target role's OID. Note we do not error out for bad role. */
2855+
roleid=get_role_oid(pg_user, true);
2856+
28372857
/* Match? */
28382858
if (token_has_regexp(identLine->system_user))
28392859
{
@@ -2845,7 +2865,8 @@ check_ident_usermap(IdentLine *identLine, const char *usermap_name,
28452865
intr;
28462866
regmatch_tmatches[2];
28472867
char*ofs;
2848-
char*expanded_pg_user;
2868+
AuthToken*expanded_pg_user_token;
2869+
boolcreated_temporary_token= false;
28492870

28502871
r=regexec_auth_token(system_user,identLine->system_user,2,matches);
28512872
if (r)
@@ -2865,8 +2886,16 @@ check_ident_usermap(IdentLine *identLine, const char *usermap_name,
28652886
return;
28662887
}
28672888

2868-
if ((ofs=strstr(identLine->pg_user->string,"\\1"))!=NULL)
2889+
/*
2890+
* Replace \1 with the first captured group unless the field already
2891+
* has some special meaning, like a group membership or a regexp-based
2892+
* check.
2893+
*/
2894+
if (!token_is_member_check(identLine->pg_user)&&
2895+
!token_has_regexp(identLine->pg_user)&&
2896+
(ofs=strstr(identLine->pg_user->string,"\\1"))!=NULL)
28692897
{
2898+
char*expanded_pg_user;
28702899
intoffset;
28712900

28722901
/* substitution of the first argument requested */
@@ -2891,46 +2920,53 @@ check_ident_usermap(IdentLine *identLine, const char *usermap_name,
28912920
system_user+matches[1].rm_so,
28922921
matches[1].rm_eo-matches[1].rm_so);
28932922
strcat(expanded_pg_user,ofs+2);
2894-
}
2895-
else
2896-
{
2897-
/* no substitution, so copy the match */
2898-
expanded_pg_user=pstrdup(identLine->pg_user->string);
2899-
}
29002923

2901-
/*
2902-
*now check if the username actually matched what the user is trying
2903-
*to connect as
2904-
*/
2905-
if (case_insensitive)
2906-
{
2907-
if (pg_strcasecmp(expanded_pg_user,pg_user)==0)
2908-
*found_p= true;
2924+
/*
2925+
*Mark the token as quoted, so it will only be compared literally
2926+
*and not for some special meaning, such as "all" or a group
2927+
* membership check.
2928+
*/
2929+
expanded_pg_user_token=make_auth_token(expanded_pg_user, true);
2930+
created_temporary_token= true;
2931+
pfree(expanded_pg_user);
29092932
}
29102933
else
29112934
{
2912-
if (strcmp(expanded_pg_user,pg_user)==0)
2913-
*found_p= true;
2935+
expanded_pg_user_token=identLine->pg_user;
29142936
}
2915-
pfree(expanded_pg_user);
2937+
2938+
/* check the Postgres user */
2939+
*found_p=check_role(pg_user,roleid,
2940+
list_make1(expanded_pg_user_token),
2941+
case_insensitive);
2942+
2943+
if (created_temporary_token)
2944+
free_auth_token(expanded_pg_user_token);
29162945

29172946
return;
29182947
}
29192948
else
29202949
{
2921-
/* Not regular expression, so make complete match */
2950+
/*
2951+
* Not a regular expression, so make a complete match. If the system
2952+
* user does not match, just leave.
2953+
*/
29222954
if (case_insensitive)
29232955
{
2924-
if (pg_strcasecmp(identLine->pg_user->string,pg_user)==0&&
2925-
pg_strcasecmp(identLine->system_user->string,system_user)==0)
2926-
*found_p= true;
2956+
if (!token_matches_insensitive(identLine->system_user,
2957+
system_user))
2958+
return;
29272959
}
29282960
else
29292961
{
2930-
if (strcmp(identLine->pg_user->string,pg_user)==0&&
2931-
strcmp(identLine->system_user->string,system_user)==0)
2932-
*found_p= true;
2962+
if (!token_matches(identLine->system_user,system_user))
2963+
return;
29332964
}
2965+
2966+
/* check the Postgres user */
2967+
*found_p=check_role(pg_user,roleid,
2968+
list_make1(identLine->pg_user),
2969+
case_insensitive);
29342970
}
29352971
}
29362972

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp