Re: HBA files w/include support?

On 2/14/14, 10:14 AM, Andres Freund wrote:
>> >I was asking for use-cases so we could figure out what's the right thing;-)
>> >
>> >The argument about wanting to assemble a pg_hba file from separately
>> >managed configuration pieces seems to have some merit, but the weak
>> >spot there is how do you define the search order? Or are you planning
>> >to just cross your fingers and hope it doesn't matter too much?
> The usual solution is to prepend a numeric prefix guaranteeing the
> search order. 00 is sysadmin stuff, 10 replication, 20 database specific
> or somesuch. I think most admins using automated tools to manage bigger
> configuration files by using some .d config directory already know how
> to deal with that problem.

Would the inclusion of the entire directory be done via a single #include (or whatever syntax) directive in pg_hba.conf?

I think that's probably OK. But if we're talking about something like "hey, if there's a pg_hba.d directory then magically slurp that in", that's far less useful and a much bigger foot-gun. (It also wouldn't provide any value for what Jerry (the op) needs).

To summarize, here's what I've seen on this discussion:

- People seem to generally be in favor of the idea of "includes", though it's not completely clear if people want specific "include file X at this point in the ruleset" or something more nebulous.
- It would be useful to have a mechanism for testing a pg_hba.conf file.
- It would also be useful for denied connections to log the actual line/file that denied the connection.
- This would be a good GSoC project.
--
Jim C. Nasby, Data Architect jim(at)nasby(dot)net
512.569.9461 (cell) http://jim.nasby.net