Re: Parsing of pg_hba.conf and authentication inconsistencies

Magnus Hagander wrote:
> Magnus Hagander wrote:
> 
> [about the ability to use different maps for ident auth, gss and krb
> auth for example]
> 
> >>>> It wouldn't be very easy/clean to do that w/o breaking the existing
> >>>> structure of pg_ident though, which makes me feel like using seperate
> >>>> files is probably the way to go.
> 
> Actually, I may have to take that back. We already have support for
> multiple maps in the ident file, I'm not really sure anymore of the case
> where this wouldn't be enough :-)
> 
> That said, I still think we want to parse pg_hba in the postmaster,
> because it allows us to not load known broken files, and show errors
> when you actually change the file etc. ;-)
> 
> I did code up a POC patch for it, and it's not particularly hard to do.
> Mostly it's just moving the codepath from the backend to the postmaster.
> I'll clean it up a but and post it, just so ppl can see what it looks
> like...

To address Magnus' specific question, right now we store the pg_hba.conf
tokens as strings in the postmaster.  I am fine with storing them in a
more native format and throwing errors for values that don't convert. 
What would concern me is calling lots of 3rd party libraries from the
postmaster to validate items.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +