BTW, I just thought of a small improvement to your patch that eliminates
some of the ugliness. Suppose that when we recognize an attempt to
connect as a global user (ie, feature flag is on and last character of
username is '@'), we strip off the '@' before proceeding. Then we would
have:
global users appear in pg_shadow as foo
local users appear in pg_shadow as foo@db
and what this would mean is that you can flip between feature-enabled
and feature-disabled states without breaking your global logins. So you
don't need the extra step of creating a "postgres@" before turning on
the feature. (Which was pretty ugly anyway, since even though postgres@
could be made a superuser, he wouldn't be the same user as postgres ---
this affects table ownership, for example, and would be a serious issue
if you wanted any non-superuser global users.)
I suppose some might argue that having to say postgres@ to log in,
when your username is really just postgres as far as you can see in the
database, is a tad confusing. But the whole thing is an acknowledged
wart anyway, and I think getting rid of the two problems mentioned above
is worth it.
Also, if we do this then it's important to strip a trailing '@' only
if it's the *only* one in the given username. Else a local user
'foo@db1' could cheat to log into db2 by saying username = 'foo@db1@'
with requested database db2. But I can't see any other security hole.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
