From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: pg_hba_lookup function to get all matching pg_hba.conf entries |
Date: | 2015-11-25 08:18:18 |
Message-ID: | CAFj8pRBX7=pWtOyfm=gtpP3XScrFv+C1GHB6q-W_PzFiz964fA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2015-11-25 8:05 GMT+01:00 Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>:
> On Tue, Nov 17, 2015 at 9:37 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> > On 11/16/15 2:37 AM, Haribabu Kommi wrote:
> >> On Mon, Nov 16, 2015 at 2:30 PM, Peter Eisentraut <peter_e(at)gmx(dot)net>
> wrote:
> >>> On 7/21/15 5:15 AM, Haribabu Kommi wrote:
> >>>> With the output of this view, administrator can identify the lines
> >>>> that are matching for the given
> >>>> criteria easily without going through the file.
> >>>
> >>> How is this useful? I could see the use if you want to debug cases of
> >>> user foo on host bar says they can't connect, but you can't impersonate
> >>> them to verify it. But then all you need is a function with a scalar
> >>> result, not a result set.
> >>
> >> Do you mean the function should return true or false based on the
> connection
> >> status with the provided arguments?
> >>
> >> I also feel difficult to understand the function result as compared to
> a view.
> >
> > An hba lookup is essentially a lookup by user name, database name,
> > client address, yielding an authentication method (possibly with
> > parameters). So I think this function should work that way as well:
> > arguments are user name, database name, and so on, and the return value
> > is an authentication method. Maybe it would be some kind of record,
> > with line number and some parameters.
> >
> > That would address the use case I put forth above. I don't know whether
> > that's what you were going for.
>
> Thanks. Here I attached the poc patch that returns authentication method
> of the
> first matched hba entry in pg_hba.conf with the given input values.
> Currently these
> functions returns text type. Based on the details required to be
> printed, it can
> be changed.
>
> postgres=# select pg_hba_lookup('all', 'all');
> pg_hba_lookup
> ---------------
> trust
> (1 row)
>
> comments for the approach?
>
From my perspective, it shows too less informations.
What I am expecting:
1. line num of choosed rule
2. some tracing - via NOTICE, what and why some rules was skipped.
Regards
Pavel
>
> Regards,
> Hari Babu
> Fujitsu Australia
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2015-11-25 09:19:38 | pg_stat_replication log positions vs base backups |
Previous Message | Lukas Fittl | 2015-11-25 08:13:11 | Re: Revisiting pg_stat_statements and IN() (Was: Re: pg_stat_statements fingerprinting logic and ArrayExpr) |