Re: HBA files w/include support?

* Jim Nasby (jim(at)nasby(dot)net) wrote:
> On 2/14/14, 8:36 AM, Stephen Frost wrote:
> >* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> >>In an ideal world we would have a tool where you could plug in a
> >>username, database, IP address, and test pg_hba.conf file and it would
> >>report what line is matched.
> >
> >That's not a bad idea, but we don't expose the logic that figures that
> >out today.. It would, perhaps, not be horrible to duplicate it, but
> >then we'd need to make sure that we update both places if it ever
> >changes (not that it's changed much in oh-so-many-years). Perhaps
> >another candidate to be a GSoC project.
>
> Stupid question... is there a reason we couldn't use the same code for both?

It'd just be a matter of shifting things around to make that work. I'm
not against it, but this code is hardly of general or common use.

> BTW, I'm not sure that SQL would be the appropriate API for this testing; but presumably it wouldn't be hard to add functionality to the wire protocol to support the case of "hypothetically, if I were to attempt a connection that looks like this, what would happen?"

Well, we have that, and it's "just do it" and you'll see. Making that
easier to determine would have to be done post-authentication anyway,
lest we make it easier for would-be attackers, and at that point I'm not
sure that there's much benefit in having something in the protocol for
this rather than just a handy SQL function, which people who care about
these things are probably going to be pretty familiar with anyway..

Thanks,

Stephen