Re: Parsing of pg_hba.conf and authentication inconsistencies

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Josh Berkus <josh(at)agliodbs(dot)com>, Gregory Stark <stark(at)enterprisedb(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Parsing of pg_hba.conf and authentication inconsistencies
Date: 2008-08-03 08:36:56
Message-ID: 48956E28.1070004@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>> The good way to solve this would be to have independant command line
>>> utilities which check pg_hba.conf, pg_ident.conf and postgresql.conf for
>>> errors. Then DBAs could run a check *before* restarting the server.
>
>> While clearly useful, it'd still leave the fairly large foot-gun that is
>> editing the hba file and HUPing things which can leave you with a
>> completely un-connectable database because of a small typo.
>
> That will *always* be possible, just because software is finite and
> human foolishness is not ;-).

Certainly - been bitten by that more than once. But we can make it
harder or easier to make the mistakes..

> Now, we could ameliorate it a bit given a "postgres --check-config"
> mode by having pg_ctl automatically run that mode before any start,
> restart, or reload command, and then refusing to proceed if the check
> detects any indubitable errors. On the other hand, that would leave
> us with the scenario where the checking code warns about stuff that it
> can't be sure is wrong, but then we go ahead and install the borked
> config anyway. (Nobody is going to put up with code that refuses
> to install config settings that aren't 100% clean, unless the checks
> are so weak that they miss a lot of possibly-useful warnings.)
>
> Seems a lot better to me to just train people to run the check-config
> code by hand before pulling the trigger to load the settings for real.

It's certainly easier for us, but that means a whole lot of people are
never going to do it. And initscripts might end up using it anyway,
forcing the issue.

I think it'd be reasonable to refuse starting if the config is *known
broken* (such as containing lines that are unparseable, or that contain
completely invalid tokens), whereas you'd start if they just contain
things that are "probably wrong". But picking from your previous
examples of "more advanced checks", there are lots of cases where
things like overlapping CIDR address ranges are perfectly valid, so I
don't think we could even throw a warning for that - unless there's a
separate flag to enable/disable warnings for such a thing.

//Magnus

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Dean Rasheed 2008-08-03 09:05:06 Re: Auto-explain patch
Previous Message Magnus Hagander 2008-08-03 08:29:22 Re: Parsing of pg_hba.conf and authentication inconsistencies