| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Aidan Van Dyk <aidan(at)highrise(dot)ca>, Joshua Tolley <eggyknap(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Thoughts on pg_hba.conf rejection |
| Date: | 2010-04-15 13:08:54 |
| Message-ID: | 20100415130854.GQ21875@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Simon,
* Simon Riggs (simon(at)2ndQuadrant(dot)com) wrote:
> So instead of the typical "reject" instruction we also add a
> "rejectverbose" instruction that has a more verbose message. Docs would
> describe it as an additional instruction to assist with debugging a
> complex pg_hba.conf, with warning that if used it may assist the bad
> guys also.
Erm, so we'd add an option for this? That strikes me as pretty
excessive. Not to be a pain, but I feel like the 'connection not
authorized' argument plus a hint makes alot more sense.
> "pg_hba.conf rejects entry for host..."
"connection not authorized for host X user Y database Z"
"HINT: Make sure your pg_hba.conf has the entries needed and the user
has CONNECT privileges for the database"
Or something along those lines (I added the other CONNECT issue because
it's one I've run into in the past.. :).
I do also wonder if we should consider having the error that's reported
to the log differ from that which is sent to the user.. I realize
that's a much bigger animal and might not help the novice, but it could
help with debugging complex pg_hba's without exposing info to possible
bad guys.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-04-15 13:44:19 | Re: Thoughts on pg_hba.conf rejection |
| Previous Message | Magnus Hagander | 2010-04-15 11:01:52 | Re: Timezone matching script (win32) |