Re: Providing catalog view to pg_hba.conf file - Patch submission

2015-02-28 1:41 GMT+01:00 Stephen Frost <sfrost(at)snowman(dot)net>:

> Pavel,
>
> * Pavel Stehule (pavel(dot)stehule(at)gmail(dot)com) wrote:
> > 2015-02-27 22:26 GMT+01:00 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
> > > Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > > > Right, we also need a view (or function, or both) which provides what
> > > > the *active* configuration of the running postmaster is. This is
> > > > exactly what I was proposing (or what I was intending to, at least)
> with
> > > > pg_hba_active, so, again, I think we're in agreement here.
> > >
> > > I think that's going to be a lot harder than you realize, and it will
> have
> > > undesirable security implications, in that whatever you do to expose
> the
> > > postmaster's internal state to backends will also make it visible to
> other
> > > onlookers; not to mention probably adding new failure modes.
> >
> > we can do copy of pg_hba.conf somewhere when postmaster starts or when it
> > is reloaded.
>
> Please see my reply to Tom. There's no trivial way to reach into the
> postmaster from a backend- but we do get a copy of whatever the
> postmaster had when we forked, and the postmaster only reloads
> pg_hba.conf on a sighup and that sighup is passed down to the children,
> so we simply need to also reload the pg_hba.conf in the children when
> they get a sighup.
>
> That's how postgresql.conf is handled, which is what pg_settings is
> based off of, and I believe is the behavior folks are really looking
> for.
>

It has sense for me too.

Pavel

>
> Thanks,
>
> Stephen
>