Re: HBA files w/include support?

* Jim Nasby (jim@nasby.net) wrote:
> On 2/14/14, 8:36 AM, Stephen Frost wrote:
> >* Bruce Momjian (bruce@momjian.us) wrote:
> >>In an ideal world we would have a tool where you could plug in a
> >>username, database, IP address, and test pg_hba.conf file and it would
> >>report what line is matched.
> >
> >That's not a bad idea, but we don't expose the logic that figures that
> >out today..  It would, perhaps, not be horrible to duplicate it, but
> >then we'd need to make sure that we update both places if it ever
> >changes (not that it's changed much in oh-so-many-years).  Perhaps
> >another candidate to be a GSoC project.
>
> Stupid question... is there a reason we couldn't use the same code for both?

It'd just be a matter of shifting things around to make that work.  I'm
not against it, but this code is hardly of general or common use.

> BTW, I'm not sure that SQL would be the appropriate API for this testing; but presumably it wouldn't be hard to add
functionalityto the wire protocol to support the case of "hypothetically, if I were to attempt a connection that looks
likethis, what would happen?" 

Well, we have that, and it's "just do it" and you'll see.  Making that
easier to determine would have to be done post-authentication anyway,
lest we make it easier for would-be attackers, and at that point I'm not
sure that there's much benefit in having something in the protocol for
this rather than just a handy SQL function, which people who care about
these things are probably going to be pretty familiar with anyway..
Thanks,
    Stephen