Re: allow specifying direct role membership in pg_hba.conf

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Chapman Flack (chap(at)anastigmatix(dot)net) wrote:
>> If pg_hba syntax changes are being entertained, I would love to be able
>> to set ssl_min_protocol_version locally in a hostssl rule.
>> Some clients at $work are stuck with ancient SSL libraries, but I would
>> much rather be able to weaken ssl_min_protocol_version just for them
>> than do it globally.

> This (unlike what was actually proposed) does seem like it'd be a useful
> improvement. Not sure exaclty how it would work but I'm generally on
> board with the idea.

Seems like putting GUCs directly into pg_hba would be a mess. Would
it be enough to tell people to use ALTER ROLE/DATABASE SET for this,
and then fix things so that we recheck the protocol version (and
possibly bail out) after absorbing those settings?

I can think of objections to this:

* If you actually want to tie the restriction to source IP addresses,
rather than users or databases, this doesn't get the job done.

* The authentication cycle would be completed (or at least mostly
so) before we bail out; so if the concern is about packet-sniffing
or MITM attacks, maybe this would expose too much.

But it does have the advantage of being something it seems like
we could get done easily.

regards, tom lane