Re: Providing catalog view to pg_hba.conf file - Patch submission

On 01/30/2015 10:01 PM, Amit Kapila wrote:
> On Fri, Jan 30, 2015 at 10:58 PM, Robert Haas <robertmhaas(at)gmail(dot)com
> <mailto:robertmhaas(at)gmail(dot)com>> wrote:
>> Yes. The contents of postgresql.conf are only mildly order-dependent.
>> If you put the same setting in more than once, it matters which one is
>> last. Apart from that, though, it doesn't really matter:
>> wal_keep_segments=10 means the same thing if it occurs before
>> max_connections=401 that it means after that. The same is not true of
>> pg_hba.conf, where the order matters a lot.
>
> Do you mean to say that as authentication system uses just the
> first record that matches to perform authentication, it could lead
> to problems if an order is not maintained? Won't the same
> set of problems can occur if user tries to that manually and do
> it without proper care of such rules. Now the problem with
> command is that user can't see the order in which entries are
> being made, but it seems to me that we can provide a view or some
> way to user so that the order of entries is visible and the same is
> allowed to be manipulated via command.

We *can*, yes. But the technical issues around that have not been
addressed. Certainly just making the new system view respond to
UPDATE/INSERT/DELETE would not be sufficient.

And then once we address the technical issues, we'll need to address the
security implications.

I think this is worth doing; there's some tremendous utility potential
in having a PostgresQL which can be 100% managed via port 5432,
especially for the emerging world of container-based hosting (Docker et.
al.). However, it's also going to be difficult.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com