Thread: Where do pg_hba.conf include files live?

Where do pg_hba.conf include files live?

From
Tom Lane
Date:
The SGML docs state that include files referenced by "@foo" constructs
in pg_hba.conf "must be in the same directory as pg_hba.conf".  The
actual implementation, however, assumes they must be in DataDir.
This is no longer the same thing after the introduction of the
data_directory and hba_file GUC parameters.

It seems to me that in a context where you are storing pg_hba.conf in a
separate configuration directory, putting the include files in that same
directory is the behavior you'd want.  On the other hand, the contents
of those files would often be data-cluster-specific (since they'd
typically be lists of user or database names).  Maybe the code behavior
is still sensible.

One thing that's probably *not* sensible either way is that the code
forcibly prepends the directory name even if it's fed "@/abs/path".
I think if an absolute path is given it should be honored.  That would
give an "out" for DBAs who want whichever behavior we don't provide.

The changes to fix the code, if we decide the code is wrong rather than
the docs, do not look very large; so I don't think we need to decide
this on the basis of it being too late to change for 8.0.

Comments?
        regards, tom lane


Re: Where do pg_hba.conf include files live?

From
Bruce Momjian
Date:
Tom Lane wrote:
> The SGML docs state that include files referenced by "@foo" constructs
> in pg_hba.conf "must be in the same directory as pg_hba.conf".  The
> actual implementation, however, assumes they must be in DataDir.
> This is no longer the same thing after the introduction of the
> data_directory and hba_file GUC parameters.
> 
> It seems to me that in a context where you are storing pg_hba.conf in a
> separate configuration directory, putting the include files in that same
> directory is the behavior you'd want.  On the other hand, the contents
> of those files would often be data-cluster-specific (since they'd
> typically be lists of user or database names).  Maybe the code behavior
> is still sensible.
> 
> One thing that's probably *not* sensible either way is that the code
> forcibly prepends the directory name even if it's fed "@/abs/path".
> I think if an absolute path is given it should be honored.  That would
> give an "out" for DBAs who want whichever behavior we don't provide.
> 
> The changes to fix the code, if we decide the code is wrong rather than
> the docs, do not look very large; so I don't think we need to decide
> this on the basis of it being too late to change for 8.0.

Good point.  I agree @ should be relative to pg_hba.conf directory and
not datadir, and that absolute paths should work.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073