Thread: hba_conf: only first line is checked

hba_conf: only first line is checked

From
Cédric Mesnil
Date:
Hi all,

My probleme is the following:
I want to allow some user to connect to my db with password authentication against
a first password file and allow other user against  a second one. I ve writen  the following pg_hba.conf:

host           all   192.168.1.201   255.255.255.255       password passwd
host           all   192.168.1.201   255.255.255.255       password passwd2

the Problem is if the user is present in the second password file, he is always rejected.
(If i comment the first line in the hba.conf, it works)

Is anyone have a solution?

Tanks a lot

Cedric

Attachment

Re: hba_conf: only first line is checked

From
Tom Lane
Date:
=?iso-8859-1?Q?C=E9dric?= Mesnil <cedric.mesnil@trusted-logic.fr> writes:
> I want to allow some user to connect to my db with password authentication against
> a first password file and allow other user against  a second one. I ve writen  the following pg_hba.conf:

> host           all   192.168.1.201   255.255.255.255       password passwd
> host           all   192.168.1.201   255.255.255.255       password passwd2

This does not make any sense to me.  Why don't you just merge the two
password files?  If you want to have distinct password files for
distinct situations, then the situations have to actually be distinct,
ie, different host addresses or database names in pg_hba.conf.  The
postmaster will stop on the first pg_hba.conf line that matches the
client hostaddress and requested database, so the second line in the
above example can never be reached.  This is not a bug; if we changed
it then we'd break a lot of other useful cases.

            regards, tom lane