| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Reporting hba lines |
| Date: | 2012-06-27 14:04:21 |
| Message-ID: | CABUevExVKfGNgUs=s9GGPOm5FziKmvmLCJFiR27MfLfG8YSc=A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 27, 2012 at 3:55 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> When debugging strange and complex pg_hba lines, it can often be quite
>> useful to know which line is matching a particular connection that
>> failed for some reason. Because more often than not, it's actually not
>> using the line in pg_hba.conf that's expected.
>
>> The easiest way to do this is to emit an errdetail for the login
>> failure, per this patch.
>
>> Question is - is that leaking information to the client that we
>> shouldn't be leaking?
>
> Yes.
>
>> And if it is, what would be the preferred way to deal with it?
>
> Report to the postmaster log only. errdetail_log should do.
Oh, I wasn't aware we had that :) You learn something new every day.
> BTW, are you sure that auth_failed is only called in cases where
> an hba line has already been identified? Even if true today,
> it seems fairly risky to assume that.
It is true today, but yes, it might be safe to guard against it with
something like this?
I also fixed the error message to follow the guidelines better - I think :)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| Attachment | Content-Type | Size |
|---|---|---|
| hba_line.patch | application/octet-stream | 637 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2012-06-27 14:06:56 | Re: Posix Shared Mem patch |
| Previous Message | Tom Lane | 2012-06-27 13:55:40 | Re: Reporting hba lines |