Re: pg_hba_lookup function to get all matching pg_hba.conf entries

From: Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_hba_lookup function to get all matching pg_hba.conf entries
Date: 2015-11-25 07:05:20
Message-ID: CAJrrPGfb8uM9pTiOE-m6mMn5C=dNrejCCU1AG5m_A2YpjHrO2A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Nov 17, 2015 at 9:37 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> On 11/16/15 2:37 AM, Haribabu Kommi wrote:
>> On Mon, Nov 16, 2015 at 2:30 PM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>>> On 7/21/15 5:15 AM, Haribabu Kommi wrote:
>>>> With the output of this view, administrator can identify the lines
>>>> that are matching for the given
>>>> criteria easily without going through the file.
>>>
>>> How is this useful? I could see the use if you want to debug cases of
>>> user foo on host bar says they can't connect, but you can't impersonate
>>> them to verify it. But then all you need is a function with a scalar
>>> result, not a result set.
>>
>> Do you mean the function should return true or false based on the connection
>> status with the provided arguments?
>>
>> I also feel difficult to understand the function result as compared to a view.
>
> An hba lookup is essentially a lookup by user name, database name,
> client address, yielding an authentication method (possibly with
> parameters). So I think this function should work that way as well:
> arguments are user name, database name, and so on, and the return value
> is an authentication method. Maybe it would be some kind of record,
> with line number and some parameters.
>
> That would address the use case I put forth above. I don't know whether
> that's what you were going for.

Thanks. Here I attached the poc patch that returns authentication method of the
first matched hba entry in pg_hba.conf with the given input values.
Currently these
functions returns text type. Based on the details required to be
printed, it can
be changed.

postgres=# select pg_hba_lookup('all', 'all');
pg_hba_lookup
---------------
trust
(1 row)

comments for the approach?

Regards,
Hari Babu
Fujitsu Australia

Attachment Content-Type Size
pg_hba_lookup_poc_v2.patch application/octet-stream 9.1 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Victor Wagner 2015-11-25 07:36:58 What .gitignore files do in the tarball?
Previous Message Jim Nasby 2015-11-25 06:57:31 Re: custom function for converting human readable sizes to bytes