Re: Thoughts on pg_hba.conf rejection

On Mon, 2010-04-19 at 17:52 -0400, Robert Haas wrote:
> On Mon, Apr 19, 2010 at 5:22 PM, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
> > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote:
> >
> >> Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to
> >> connect to some database in order to proceed with auth checking". Why
> >> is that necessary
> >
> > It's not, I just explained how to do it without.
>
> Your explanation seems to presuppose that we somehow can't process the
> database-specific rules before selecting a database. I don't
> understand why that would be the case. Why can't we just check all
> the rules and then, if we decide to allow the connection, select the
> database?

Some rules are user-specific, but I see that doesn't matter and you are
right.

We can process the whole pg_hba.conf to see if it returns reject or
implicitreject before attempting to confirm the existence of any
database or any user. Any other result must be implemented during
ClientAuthentication(). So we may as well run the whole set of rules,
work out which rule applies and then remember that for later use. Just
as efficient, better security.

--
Simon Riggs www.2ndQuadrant.com