Skip site navigation (1) Skip section navigation (2)

Reporting hba lines

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Reporting hba lines
Date: 2012-06-27 12:54:15
Message-ID: CABUevEztu2cbVNR4ZMuTrtxWyZsPp3Y+4rYgPmaNh5N0T3E08Q@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
When debugging strange and complex pg_hba lines, it can often be quite
useful to know which line is matching a particular connection that
failed for some reason. Because more often than not, it's actually not
using the line in pg_hba.conf that's expected.

The easiest way to do this is to emit an errdetail for the login
failure, per this patch.

Question is - is that leaking information to the client that we
shouldn't be leaking?

And if it is, what would be the preferred way to deal with it? We
could put that as a detail to basically every single error message
coming out of the auth system, but that seems like a bad idea. Or we
could make a separate ereport(LOG) before send it to the client,
perhaps?

Thoughts?

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Attachment: hba_line.patch
Description: application/octet-stream (439 bytes)

Responses

pgsql-hackers by date

Next:From: Kohei KaiGaiDate: 2012-06-27 13:07:55
Subject: Re: [v9.3] Row-Level Security
Previous:From: Robert HaasDate: 2012-06-27 12:47:33
Subject: Re: pg_terminate_backend for same-role

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group