Re: Thoughts on pg_hba.conf rejection

On Mon, 2010-04-19 at 16:30 -0400, Tom Lane wrote:
> Simon Riggs <simon(at)2ndQuadrant(dot)com> writes:
> > Point of note on giving information to the bad guys: if a
> > should-be-rejected connection request attempts to connect to a
> > non-existent database, we say "database does not exist".
>
> Yeah. This was an acknowledged shortcoming of the changes to eliminate
> flat-file storage of authentication information --- as of 9.0, it's
> necessary to connect to some database in order to proceed with auth
> checking.

With code as currently, yes, though I see that there is a way to do
this.

Rules that have an "all" in the database field of the hba can be applied
prior to attempting to select the database, as long as the "all" rule is
above any database-specific rules. So its possible, we just need to
special case the code so we call it once before db is assigned for "all"
rules only and then again later, as is now, including 100% of rules. (I
say 100% to avoid using the word all in two contexts in same sentence).

> We discussed it at the time and agreed it was an acceptable
> loss.
>
> The only way I can think of to improve that without going back to flat
> files would be to develop a way for backends to switch databases after
> initial startup, so that auth could be done in a predetermined database
> (say, "postgres") before switching to the requested DB. This has enough
> potential gotchas, in regards to catalog caching for instance, that I'm
> not eager to go there.
>
> Alternatively we could lie, and produce an auth failure message of some
> sort rather than admitting the DB doesn't exist. But that seems like
> it's going to create enough confusion to not be acceptable.

--
Simon Riggs www.2ndQuadrant.com