Re: Reporting hba lines - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Reporting hba lines
Date
Msg-id 29324.1340805340@sss.pgh.pa.us
Whole thread Raw
In response to Reporting hba lines  (Magnus Hagander <magnus@hagander.net>)
Responses Re: Reporting hba lines
List pgsql-hackers
Magnus Hagander <magnus@hagander.net> writes:
> When debugging strange and complex pg_hba lines, it can often be quite
> useful to know which line is matching a particular connection that
> failed for some reason. Because more often than not, it's actually not
> using the line in pg_hba.conf that's expected.

> The easiest way to do this is to emit an errdetail for the login
> failure, per this patch.

> Question is - is that leaking information to the client that we
> shouldn't be leaking?

Yes.

> And if it is, what would be the preferred way to deal with it?

Report to the postmaster log only.  errdetail_log should do.

BTW, are you sure that auth_failed is only called in cases where
an hba line has already been identified?  Even if true today,
it seems fairly risky to assume that.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Re: [PATCH 07/16] Log enough data into the wal to reconstruct logical changes from it if wal_level=logical
Next
From: Magnus Hagander
Date:
Subject: Re: Reporting hba lines