> I needed to do that for the web database that I'm setting up. We

bmomjian · bmomjian · commit 3f372ee6b3d8 · 1998-06-13T04:27:18.000Z
have &gt; 20000 users and each (potentially) needs a separate database
which is &gt; only accessible to them. Rather than having 20000 lines
in pg_hba.conf, &gt; I've patched Postgres so that the special token
"sameuser" in the &gt; database field of pg_hba.conf allows access
only to the username which &gt; is connecting.
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.27 1998/02/26 04:31:42 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.28 1998/06/13 04:27:14 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -419,8 +419,8 @@ be_recvauth(Port *port)
 	 * combination.
 	 */
 
-	if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,
-						  &port->auth_method) != STATUS_OK)
+	if (hba_getauthmethod(&port->raddr, port->user, port->database,
+			port->auth_arg, &port->auth_method) != STATUS_OK)
 		PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");
 
 	else if (PG_PROTOCOL_MAJOR(port->proto) == 0)
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.30 1998/03/15 08:18:03 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.31 1998/06/13 04:27:15 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -154,8 +154,8 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char auth_arg[],
 
 
 static void
-process_hba_record(FILE *file, SockAddr *raddr, const char database[],
-				   bool *matches_p, bool *error_p,
+process_hba_record(FILE *file, SockAddr *raddr, const char user[],
+				   const char database[], bool *matches_p, bool *error_p,
 				   UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
@@ -210,7 +210,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */
 
-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_UNIX)
 			return;
 	}
@@ -269,7 +270,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */
 
-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_INET ||
 			((file_ip_addr.s_addr ^ raddr->in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
 			return;
@@ -297,9 +299,9 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 
 
 static void
-process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
-						 bool *host_ok_p, UserAuth *userauth_p,
-						 char auth_arg[])
+process_open_config_file(FILE *file, SockAddr *raddr, const char user[],
+						 const char database[], bool *host_ok_p,
+						 UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
   This function does the same thing as find_hba_entry, only with
@@ -333,7 +335,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 				read_through_eol(file);
 			else
 			{
-				process_hba_record(file, raddr, database,
+				process_hba_record(file, raddr, user, database,
 							 &found_entry, &error, userauth_p, auth_arg);
 			}
 		}
@@ -353,8 +355,8 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 
 
 static void
-find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
-			   UserAuth *userauth_p, char auth_arg[])
+find_hba_entry(SockAddr *raddr, const char user[], const char database[],
+			   bool *host_ok_p, UserAuth *userauth_p, char auth_arg[])
 {
 /*--------------------------------------------------------------------------
   Read the config file and find an entry that allows connection from
@@ -428,7 +430,7 @@ find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
 		}
 		else
 		{
-			process_open_config_file(file, raddr, database, host_ok_p, userauth_p,
+			process_open_config_file(file, raddr, user, database, host_ok_p, userauth_p,
 									 auth_arg);
 			FreeFile(file);
 		}
@@ -1054,8 +1056,8 @@ GetCharSetByHost(char TableName[], int host, const char DataDir[])
 #endif
 
 extern int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method)
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method)
 {
 /*---------------------------------------------------------------------------
   Determine what authentication method should be used when accessing database
@@ -1066,7 +1068,7 @@ hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
 
 	host_ok = false;
 
-	find_hba_entry(raddr, database, &host_ok, auth_method, auth_arg);
+	find_hba_entry(raddr, user, database, &host_ok, auth_method, auth_arg);
 
 	return (host_ok ? STATUS_OK : STATUS_ERROR);
 }
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
@@ -39,8 +39,9 @@
 # 
 #   host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
 # 
-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all 
-# databases.
+# DBNAME is the name of a PostgreSQL database, "all" to indicate all 
+# databases, or "sameuser" to restrict a user's access to a database
+# with the same user name.
 # 
 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
 # mask to identify a set of hosts.  These hosts are allowed to connect to 
diff --git a/src/backend/parser/gram.c b/src/backend/parser/gram.c
@@ -218,7 +218,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.11 1998/05/12 17:46:46 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.12 1998/06/13 04:27:15 momjian Exp $
  *
  * HISTORY
  *	  AUTHOR			DATE			MAJOR EVENT
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
  *	  Interface to hba.c
  *
  *
- * $Id: hba.h,v 1.8 1998/02/26 04:41:43 momjian Exp $
+ * $Id: hba.h,v 1.9 1998/06/13 04:27:18 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -51,8 +51,8 @@ typedef enum UserAuth
 } UserAuth;
 
 int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method);
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method);
 int
 authident(struct sockaddr_in * raddr, struct sockaddr_in * laddr,
 		  const char postgres_username[], const char auth_arg[]);

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.27 1998/02/26 04:31:42 momjian Exp $`
	`10`	`+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.28 1998/06/13 04:27:14 momjian Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -419,8 +419,8 @@ be_recvauth(Port *port)`
`419`	`419`	`* combination.`
`420`	`420`	`*/`
`421`	`421`
`422`		`- if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,`
`423`		`- &port->auth_method) != STATUS_OK)`
	`422`	`+ if (hba_getauthmethod(&port->raddr, port->user, port->database,`
	`423`	`+ port->auth_arg, &port->auth_method) != STATUS_OK)`
`424`	`424`	`PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");`
`425`	`425`
`426`	`426`	`else if (PG_PROTOCOL_MAJOR(port->proto) == 0)`
Original file line number	Diff line number	Diff line change
`@@ -39,8 +39,9 @@`
`39`	`39`	`#`
`40`	`40`	`# host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]`
`41`	`41`	`#`
`42`		`-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all`
`43`		`-# databases.`
	`42`	`+# DBNAME is the name of a PostgreSQL database, "all" to indicate all`
	`43`	`+# databases, or "sameuser" to restrict a user's access to a database`
	`44`	`+# with the same user name.`
`44`	`45`	`#`
`45`	`46`	`# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and`
`46`	`47`	`# mask to identify a set of hosts. These hosts are allowed to connect to`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@`
`218`	`218`	`*`
`219`	`219`	`*`
`220`	`220`	`* IDENTIFICATION`
`221`		`- * $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.11 1998/05/12 17:46:46 momjian Exp $`
	`221`	`+ * $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.12 1998/06/13 04:27:15 momjian Exp $`
`222`	`222`	`*`
`223`	`223`	`* HISTORY`
`224`	`224`	`* AUTHOR DATE MAJOR EVENT`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`* Interface to hba.c`
`5`	`5`	`*`
`6`	`6`	`*`
`7`		`- * $Id: hba.h,v 1.8 1998/02/26 04:41:43 momjian Exp $`
	`7`	`+ * $Id: hba.h,v 1.9 1998/06/13 04:27:18 momjian Exp $`
`8`	`8`	`*`
`9`	`9`	`*-------------------------------------------------------------------------`
`10`	`10`	`*/`
`@@ -51,8 +51,8 @@ typedef enum UserAuth`
`51`	`51`	`} UserAuth;`
`52`	`52`
`53`	`53`	`int`
`54`		`-hba_getauthmethod(SockAddr raddr, char database, char *auth_arg,`
`55`		`- UserAuth *auth_method);`
	`54`	`+hba_getauthmethod(SockAddr raddr, char user, char *database,`
	`55`	`+ char auth_arg, UserAuth auth_method);`
`56`	`56`	`int`
`57`	`57`	`authident(struct sockaddr_in * raddr, struct sockaddr_in * laddr,`
`58`	`58`	`const char postgres_username[], const char auth_arg[]);`