> I needed to do that for the web database that I'm setting up. We

have > 20000 users and each (potentially) needs a separate database
which is > only accessible to them. Rather than having 20000 lines
in pg_hba.conf, > I've patched Postgres so that the special token
"sameuser" in the > database field of pg_hba.conf allows access
only to the username which > is connecting.

5 files changed, 27 insertions, 24 deletions

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7cf875222ad..4aee9b9197a 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.27 1998/02/26 04:31:42 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.28 1998/06/13 04:27:14 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -419,8 +419,8 @@ be_recvauth(Port *port)
 	 * combination.
 	 */
 
-	if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,
-						  &port->auth_method) != STATUS_OK)
+	if (hba_getauthmethod(&port->raddr, port->user, port->database,
+			port->auth_arg, &port->auth_method) != STATUS_OK)
 		PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");
 
 	else if (PG_PROTOCOL_MAJOR(port->proto) == 0)
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 10a2acdc27b..018a3864c97 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.30 1998/03/15 08:18:03 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.31 1998/06/13 04:27:15 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -154,8 +154,8 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char auth_arg[],
 
 
 static void
-process_hba_record(FILE *file, SockAddr *raddr, const char database[],
-				   bool *matches_p, bool *error_p,
+process_hba_record(FILE *file, SockAddr *raddr, const char user[],
+				   const char database[], bool *matches_p, bool *error_p,
 				   UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
@@ -210,7 +210,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */
 
-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_UNIX)
 			return;
 	}
@@ -269,7 +270,8 @@ process_hba_record(FILE *file, SockAddr *raddr, const char database[],
 		 * sort of connection, ignore it.
 		 */
 
-		if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0) ||
+		if ((strcmp(buf, database) != 0 && strcmp(buf, "all") != 0 &&
+		    (strcmp(buf, "sameuser") != 0 || strcmp(user, database) != 0)) ||
 			raddr->sa.sa_family != AF_INET ||
 			((file_ip_addr.s_addr ^ raddr->in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
 			return;
@@ -297,9 +299,9 @@ syntax:
 
 
 static void
-process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
-						 bool *host_ok_p, UserAuth *userauth_p,
-						 char auth_arg[])
+process_open_config_file(FILE *file, SockAddr *raddr, const char user[],
+						 const char database[], bool *host_ok_p,
+						 UserAuth *userauth_p, char auth_arg[])
 {
 /*---------------------------------------------------------------------------
   This function does the same thing as find_hba_entry, only with
@@ -333,7 +335,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 				read_through_eol(file);
 			else
 			{
-				process_hba_record(file, raddr, database,
+				process_hba_record(file, raddr, user, database,
 							 &found_entry, &error, userauth_p, auth_arg);
 			}
 		}
@@ -353,8 +355,8 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 
 
 static void
-find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
-			   UserAuth *userauth_p, char auth_arg[])
+find_hba_entry(SockAddr *raddr, const char user[], const char database[],
+			   bool *host_ok_p, UserAuth *userauth_p, char auth_arg[])
 {
 /*--------------------------------------------------------------------------
   Read the config file and find an entry that allows connection from
@@ -428,7 +430,7 @@ find_hba_entry(SockAddr *raddr, const char database[], bool *host_ok_p,
 		}
 		else
 		{
-			process_open_config_file(file, raddr, database, host_ok_p, userauth_p,
+			process_open_config_file(file, raddr, user, database, host_ok_p, userauth_p,
 									 auth_arg);
 			FreeFile(file);
 		}
@@ -1054,8 +1056,8 @@ GetCharSetByHost(char TableName[], int host, const char DataDir[])
 #endif
 
 extern int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method)
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method)
 {
 /*---------------------------------------------------------------------------
   Determine what authentication method should be used when accessing database
@@ -1066,7 +1068,7 @@ hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
 
 	host_ok = false;
 
-	find_hba_entry(raddr, database, &host_ok, auth_method, auth_arg);
+	find_hba_entry(raddr, user, database, &host_ok, auth_method, auth_arg);
 
 	return (host_ok ? STATUS_OK : STATUS_ERROR);
 }
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index c526e3b7bde..268649afada 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -39,8 +39,9 @@
 # 
 #   host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
 # 
-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all 
-# databases.
+# DBNAME is the name of a PostgreSQL database, "all" to indicate all 
+# databases, or "sameuser" to restrict a user's access to a database
+# with the same user name.
 # 
 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
 # mask to identify a set of hosts.  These hosts are allowed to connect to 
diff --git a/src/backend/parser/gram.c b/src/backend/parser/gram.c
index 78828cd74b2..919454de1af 100644
--- a/src/backend/parser/gram.c
+++ b/src/backend/parser/gram.c
@@ -218,7 +218,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.11 1998/05/12 17:46:46 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/gram.c,v 2.12 1998/06/13 04:27:15 momjian Exp $
  *
  * HISTORY
  *	  AUTHOR			DATE			MAJOR EVENT
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8900c6f34f8..322c3e0e51f 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -4,7 +4,7 @@
  *	  Interface to hba.c
  *
  *
- * $Id: hba.h,v 1.8 1998/02/26 04:41:43 momjian Exp $
+ * $Id: hba.h,v 1.9 1998/06/13 04:27:18 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -51,8 +51,8 @@ typedef enum UserAuth
 } UserAuth;
 
 int
-hba_getauthmethod(SockAddr *raddr, char *database, char *auth_arg,
-				  UserAuth *auth_method);
+hba_getauthmethod(SockAddr *raddr, char *user, char *database,
+				  char *auth_arg, UserAuth *auth_method);
 int
 authident(struct sockaddr_in * raddr, struct sockaddr_in * laddr,
 		  const char postgres_username[], const char auth_arg[]);