Peter Eisentraut <peter_e@gmx.net> writes:
> The difficulty with putting the control over this into the SQL environment
> is two-fold:
> 1) You have a bootstrapping problem, because how are you going to set
> these privileges if you can't connect?
Presumably the database superuser can connect to anything anytime, and
I'd also expect a newly-minted database to be preconfigured to let its
owner in. (We could debate whether that privilege should be revokable,
but worst case is the owner goes to the dbadmin and admits what an idiot
he's been ;-).) So this doesn't seem like a major objection.
> 2) You don't necessarily want to start up a new backend for every rogue
> connection attempt.
True, but we can still expect the postmaster to have done the same
amount of connection checking it does now, so the worst forms of abuse
can be prevented. Bear in mind also that things like bad database name
are usually detected by the newly-started backend, so unless you run a
much tighter than normal pg_hba.conf, you have some exposure here
already. I think having the backend reject an unauthorized connection
attempt from a user that the postmaster has previously checked to be
known to the database is not so bad.
regards, tom lane