Re: Thoughts on pg_hba.conf rejection - Mailing list pgsql-hackers

From Simon Riggs
Subject Re: Thoughts on pg_hba.conf rejection
Date
Msg-id 1271714586.8305.20491.camel@ebony
Whole thread Raw
In response to Re: Thoughts on pg_hba.conf rejection  (Robert Haas <robertmhaas@gmail.com>)
List pgsql-hackers
On Mon, 2010-04-19 at 17:52 -0400, Robert Haas wrote:
> On Mon, Apr 19, 2010 at 5:22 PM, Simon Riggs <simon@2ndquadrant.com> wrote:
> > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote:
> >
> >> Oh.  Then I'm confused.  Tom said: "as of 9.0, it's necessary to
> >> connect to some database in order to proceed with auth checking".  Why
> >> is that necessary
> >
> > It's not, I just explained how to do it without.
> 
> Your explanation seems to presuppose that we somehow can't process the
> database-specific rules before selecting a database.  I don't
> understand why that would be the case.  Why can't we just check all
> the rules and then, if we decide to allow the connection, select the
> database?

Some rules are user-specific, but I see that doesn't matter and you are
right. 

We can process the whole pg_hba.conf to see if it returns reject or
implicitreject before attempting to confirm the existence of any
database or any user. Any other result must be implemented during
ClientAuthentication(). So we may as well run the whole set of rules,
work out which rule applies and then remember that for later use. Just
as efficient, better security.

-- Simon Riggs           www.2ndQuadrant.com



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: master in standby mode croaks
Next
From: Bruce Momjian
Date:
Subject: Re: shared_buffers documentation