Andrew Dunstan wrote:
> Tino Wildenhain wrote:
...
>> I dont think it has to be ordered preliminary. Since we are
>> dealing with subnets and stuff - the ordering already lays
>> in the data - just like routing tables work: most specific
>> matches first.
>>
>> I could think of a solution where pg_hba.conf just
>> overrides the database table (so you have a starting
>> point with empty table and/or reentry in case of a
>> mistake)
...
>
> We don't have the luxury of being able just to throw out old stuff
> because we think it might be neater to do it another way. The current
> rules for HBA are order dependent. The issue raised as I understood it
> was not to invent a new scheme but to be able to manage it from inside a
> postgres session.
Not sure about the luxury - iirc there was some change in the format
of pg_hba.conf anyway over the time and beside pgadmin3 I dont see
many tools to edit this file (apart from the usual text editor ;)
So I dont see a strong reason to keep it the way it is now just for
some legacy nobody depends on anyway. Alternatively there could
be something like security.conf or the like which depreciates
pg_hba.conf - so if pg_hba.conf is there any has any active
entry in it - things would be like they are now.
if not, then security.conf and the system table would
work like designed, having security.conf read before the table.
A pg_securitydump or the like could be usefull to dump the table
to a file in the security.conf format.
Regards
Tino