| From: | "Shulgin, Oleksandr" <oleksandr(dot)shulgin(at)zalando(dot)de> |
|---|---|
| To: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
| Cc: | Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba_lookup function to get all matching pg_hba.conf entries |
| Date: | 2015-12-23 14:02:48 |
| Message-ID: | CACACo5Rbx+tV+TLZNr=WgymZhZYAbDqUKnBjcdGaX-YSSnyd5A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Dec 23, 2015 at 12:56 PM, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>
wrote:
> On Wed, Dec 23, 2015 at 8:54 PM, Shulgin, Oleksandr
> <oleksandr(dot)shulgin(at)zalando(dot)de> wrote:
> >
> > 1. Have you considered re-loading the HBA file upon call to this
> function in
> > a local context instead of keeping it in the backends memory? I do not
> > expect that the revert of 1e24cf645d24aab3ea39a9d259897fd0cae4e4b6 would
> be
> > accepted, as the commit message refers to potential security problems
> with
> > keeping this data in backend memory:
> >
> > ... This saves a
> > probably-usually-negligible amount of space per running backend. It
> > also
> > avoids leaving potentially-security-sensitive data lying around in
> > memory
> > in processes that don't need it. You'd have to be unusually
> paranoid to
> > think that that amounts to a live security bug, so I've not gone so
> far
> > as
> > to forcibly zero the memory; but there surely isn't a good reason to
> > keep
> > this data around.
>
> Yes, it is possible to load the file locally whenever the lookup
> function is called.
> Only thing i am considering is performance impact because of huge file load
> whenever the function is called.
>
Not sure why do you call it huge? Anyway since this is going to be used to
debug connection problems, I would expect the performance impact to be
insignificant.
On the other hand, re-loading the HBA file in the function will enable the
DBA to test if a proposed change to the HBA file fixes the client problem
w/o making the server to reload the config.
> 3. What happens with special keywords for database column like
> > sameuser/samerole/samegroup and for special values in the user column?
>
> There is no special handling for the keywords in this approach. Based on
> the
> inputs to the function, it checks for the matched line in all hba lines.
>
> For example, if a configuration line contains 'all' for database and user
> names,
> then if user gives any database name and user name this line will be
> matched
> and returned.
>
Now I wonder why are you trying to re-implement the checks found in hba.c's
check_hba() instead of extending this function to provide textual reason(s)
for skipping/rejection?
--
Alex
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fabien COELHO | 2015-12-23 14:22:52 | Re: Let PostgreSQL's On Schedule checkpoint write buffer smooth spread cycle by tuning IsCheckpointOnSchedule? |
| Previous Message | Michael Paquier | 2015-12-23 13:55:23 | Re: pg_hba_lookup function to get all matching pg_hba.conf entries |