> I needed to do that for the web database that I'm setting up. We

have > 20000 users and each (potentially) needs a separate database which is > only accessible to them. Rather than having 20000 lines in pg_hba.conf, > I've patched Postgres so that the special token "sameuser" in the > database field of pg_hba.conf allows access only to the username which > is connecting.

> I needed to do that for the web database that I'm setting up. We
have > 20000 users and each (potentially) needs a separate database which is > only accessible to them. Rather than having 20000 lines in pg_hba.conf, > I've patched Postgres so that the special token "sameuser" in the > database field of pg_hba.conf allows access only to the username which > is connecting.
3f372ee6 · Bruce Momjian · d939f60c · 3f372ee6 · 3f372ee6 · 3f372ee6
Commit 3f372ee6 authored Jun 13, 1998 by Bruce Momjian
5 changed files
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.27 1998/02/26 04:31:42 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.28 1998/06/13 04:27:14 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -419,8 +419,8 @@ be_recvauth(Port *port)
 	 * combination.
 	 */

-	if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,
-						  &port->auth_method) != STATUS_OK)
+	if (hba_getauthmethod(&port->raddr, port->user, port->database,
+			port->auth_arg, &port->auth_method) != STATUS_OK)
 		PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");

 	else if (PG_PROTOCOL_MAJOR(port->proto) == 0)

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.30 1998/03/15 08:18:03 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.31 1998/06/13 04:27:15 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -154,8 +154,8 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char auth_arg[],


 static void
-process_hba_record(FILE *file, SockAddr *raddr, const char database[],
-				   bool *matches_p, bool *error_p,
+process_hba_record(FILE *file, SockAddr *raddr, const char user[],
+				   const char database[], bool *matches_p, bool *error_p,
 				   UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
@@ -210,7 +210,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */

-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_UNIX)
 			return;
 	}
@@ -269,7 +270,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */

-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_INET ||
 			((file_ip_addr.s_addr ^ raddr->in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
 			return;
@@ -297,9 +299,9 @@ syntax:


 static void
-process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
-						 bool *host_ok_p, UserAuth *userauth_p,
-						 char auth_arg[])
+process_open_config_file(FILE *file, SockAddr *raddr, const char user[],
+						 const char database[], bool *host_ok_p,
+						 UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
  This function does the same thing as find_hba_entry, only with
@@ -333,7 +335,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 				read_through_eol(file);
 			else
 			{
-				process_hba_record(file, raddr, database,
+				process_hba_record(file, raddr, user, database,
 							 &found_entry, &error, userauth_p, auth_arg);
 			}
 		}
@@ -353,8 +355,8 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],


 static void
-find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
-			   UserAuth *userauth_p, char auth_arg[])
+find_hba_entry(SockAddr *raddr, const char user[], const char database[],
+			   bool *host_ok_p, UserAuth *userauth_p, char auth_arg[])
 {
 /*--------------------------------------------------------------------------
  Read the config file and find an entry that allows connection from
@@ -428,7 +430,7 @@ find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
 		}
 		else
 		{
-			process_open_config_file(file, raddr, database, host_ok_p, userauth_p,
+			process_open_config_file(file, raddr, user, database, host_ok_p, userauth_p,
 									 auth_arg);
 			FreeFile(file);
 		}
@@ -1054,8 +1056,8 @@ GetCharSetByHost(char TableName[], int host, const char DataDir[])
 #endif

 extern int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method)
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method)
 {
 /*---------------------------------------------------------------------------
  Determine what authentication method should be used when accessing database
@@ -1066,7 +1068,7 @@ hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,

 	host_ok = false;

-	find_hba_entry(raddr, database, &host_ok, auth_method, auth_arg);
+	find_hba_entry(raddr, user, database, &host_ok, auth_method, auth_arg);

 	return (host_ok ? STATUS_OK : STATUS_ERROR);
 }
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -39,8 +39,9 @@
 # 
 #   host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
 # 
-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all 
-# databases.
+# DBNAME is the name of a PostgreSQL database, "all" to indicate all 
+# databases, or "sameuser" to restrict a user's access to a database
+# with the same user name.
 # 
 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
 # mask to identify a set of hosts.  These hosts are allowed to connect to 

--- a/src/backend/parser/gram.c
+++ b/src/backend/parser/gram.c
@@ -218,7 +218,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.11 1998/05/12 17:46:46 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.12 1998/06/13 04:27:15 momjian Exp $
 *
 * HISTORY
 *	  AUTHOR			DATE			MAJOR EVENT

--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
 *	  Interface to hba.c
 *
 *
- * $Id: hba.h,v 1.8 1998/02/26 04:41:43 momjian Exp $
+ * $Id: hba.h,v 1.9 1998/06/13 04:27:18 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -51,8 +51,8 @@ typedef enum UserAuth
 } UserAuth;

 int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method);
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method);
 int
 authident(struct sockaddr_in * raddr, struct sockaddr_in * laddr,
 		  const char postgres_username[], const char auth_arg[]);