Re: host name support in pg_hba.conf

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: host name support in pg_hba.conf
Date: 2010-10-12 21:03:29
Message-ID: 6705.1286917409@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>> Hopefully final patch, which addresses the above issues, adds some
>> documentation enhancements, and the possibility to quote host names (in
>> case someone wants to have a host named "samehost").

Oh, I had an idea for a small improvement to this. It doesn't seem
unlikely that pg_hba.conf could contain multiple entries with the same
host name (but, presumably, different user and/or database names). As
this is coded, you'll do a forward DNS lookup for each one until finding
the complete match. You could easily prevent that by adding an
additional cache field to struct Port, along the lines of
+1 = remote_hostname is known to resolve to client's IP address
-1 = remote_hostname is known NOT to resolve to client's IP address
0 = we have not done the forward DNS lookup yet.
With this additional field we could guarantee to do not more than two
DNS lookups per connection attempt.

It also seems worth taking a second look at the order of tests in
check_hba(). I suspect that on average check_db() and check_role()
will now be much cheaper than the client IP test; should they be
done first? Of course, if you assume that "all" is the typical
entry in those columns, this doesn't win.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2010-10-12 21:07:12 Re: Git cvsserver serious issue
Previous Message Dimitri Fontaine 2010-10-12 21:02:45 SQL command to edit postgresql.conf, with comments (was: Issues with two-server Synch Rep)