Thread: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf
The following bug has been logged on the website: Bug reference: 8375 Logged by: Thomas Güttler Email address: hv@tbz-pariv.de PostgreSQL version: 9.2.4 Operating system: Linux Description: For easier deployment it would be nice to have an include_dir directive in pg_hba.conf. Related: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2a0c81a12c7e6c5ac1557b0f1f4a581f23fd4ca7
hv@tbz-pariv.de writes: > For easier deployment it would be nice to have an include_dir directive in > pg_hba.conf. This doesn't seem like a remarkably good idea from here, mainly because entries in pg_hba.conf are critically order-dependent. Dropping random entries into a conf.d-like directory could produce unexpected results --- and in this case, "unexpected result" probably means "security failure". regards, tom lane
On 8. aug. 2013, at 14:39, Tom Lane <tgl@sss.pgh.pa.us> wrote: > This doesn't seem like a remarkably good idea from here, mainly because > entries in pg_hba.conf are critically order-dependent. Dropping random > entries into a conf.d-like directory could produce unexpected results > --- and in this case, "unexpected result" probably means "security > failure". Don't mean to spark or fuel any major discussion on this, but other than sec= onding that, I'd like to add in that if you need anything that advanced, cha= nces are that you should either look at simplifying (wildcard usernames, etc= ), look at other authentication-systems (PAM), or set up a build-sytem for p= g_hba.=20 Terje
On Thu, Aug 8, 2013 at 2:39 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > hv@tbz-pariv.de writes: >> For easier deployment it would be nice to have an include_dir directive in >> pg_hba.conf. > > This doesn't seem like a remarkably good idea from here, mainly because > entries in pg_hba.conf are critically order-dependent. Dropping random > entries into a conf.d-like directory could produce unexpected results > --- and in this case, "unexpected result" probably means "security > failure". If they are random, yes. You could easliy define them as ordered though, by strict alphabetical ordering etc. It's still a pretty decently sized footgun for people though, and I'm not sure how useful it would actually be. And with the risk of misconfiguration being a security hole rather than a badly configured database (which would be the problem with a simliar thing for postgresql.conf). Perhaps the OP has a specific usecase to share where this would actually be both safe and useful? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/