Re: HBA files w/include support?

From: Jim Nasby <jim(at)nasby(dot)net>
To: Andres Freund <andres(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, Jerry Sievers <gsievers19(at)comcast(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: HBA files w/include support?
Date: 2014-02-16 20:56:54
Message-ID: 53012616.9000408@nasby.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 2/14/14, 10:14 AM, Andres Freund wrote:
>> >I was asking for use-cases so we could figure out what's the right thing;-)
>> >
>> >The argument about wanting to assemble a pg_hba file from separately
>> >managed configuration pieces seems to have some merit, but the weak
>> >spot there is how do you define the search order? Or are you planning
>> >to just cross your fingers and hope it doesn't matter too much?
> The usual solution is to prepend a numeric prefix guaranteeing the
> search order. 00 is sysadmin stuff, 10 replication, 20 database specific
> or somesuch. I think most admins using automated tools to manage bigger
> configuration files by using some .d config directory already know how
> to deal with that problem.

Would the inclusion of the entire directory be done via a single #include (or whatever syntax) directive in pg_hba.conf?

I think that's probably OK. But if we're talking about something like "hey, if there's a pg_hba.d directory then magically slurp that in", that's far less useful and a much bigger foot-gun. (It also wouldn't provide any value for what Jerry (the op) needs).

To summarize, here's what I've seen on this discussion:

- People seem to generally be in favor of the idea of "includes", though it's not completely clear if people want specific "include file X at this point in the ruleset" or something more nebulous.
- It would be useful to have a mechanism for testing a pg_hba.conf file.
- It would also be useful for denied connections to log the actual line/file that denied the connection.
- This would be a good GSoC project.
--
Jim C. Nasby, Data Architect jim(at)nasby(dot)net
512.569.9461 (cell) http://jim.nasby.net

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2014-02-16 22:47:55 Re: HBA files w/include support?
Previous Message Jim Nasby 2014-02-16 20:43:11 Re: HBA files w/include support?