The SGML docs state that include files referenced by "@foo" constructs
in pg_hba.conf "must be in the same directory as pg_hba.conf". The
actual implementation, however, assumes they must be in DataDir.
This is no longer the same thing after the introduction of the
data_directory and hba_file GUC parameters.
It seems to me that in a context where you are storing pg_hba.conf in a
separate configuration directory, putting the include files in that same
directory is the behavior you'd want. On the other hand, the contents
of those files would often be data-cluster-specific (since they'd
typically be lists of user or database names). Maybe the code behavior
is still sensible.
One thing that's probably *not* sensible either way is that the code
forcibly prepends the directory name even if it's fed "@/abs/path".
I think if an absolute path is given it should be honored. That would
give an "out" for DBAs who want whichever behavior we don't provide.
The changes to fix the code, if we decide the code is wrong rather than
the docs, do not look very large; so I don't think we need to decide
this on the basis of it being too late to change for 8.0.
Comments?
regards, tom lane
