Re: Parsing of pg_hba.conf and authentication inconsistencies

Bruce Momjian wrote:
> Magnus Hagander wrote:
>> Magnus Hagander wrote:
>>
>> [about the ability to use different maps for ident auth, gss and krb
>> auth for example]
>>
>>>>>> It wouldn't be very easy/clean to do that w/o breaking the existing
>>>>>> structure of pg_ident though, which makes me feel like using seperate
>>>>>> files is probably the way to go.
>> Actually, I may have to take that back. We already have support for
>> multiple maps in the ident file, I'm not really sure anymore of the case
>> where this wouldn't be enough :-)
>>
>> That said, I still think we want to parse pg_hba in the postmaster,
>> because it allows us to not load known broken files, and show errors
>> when you actually change the file etc. ;-)
>>
>> I did code up a POC patch for it, and it's not particularly hard to do.
>> Mostly it's just moving the codepath from the backend to the postmaster.
>> I'll clean it up a but and post it, just so ppl can see what it looks
>> like...
> 
> To address Magnus' specific question, right now we store the pg_hba.conf
> tokens as strings in the postmaster.  I am fine with storing them in a
> more native format and throwing errors for values that don't convert. 
> What would concern me is calling lots of 3rd party libraries from the
> postmaster to validate items.

If I was unclear about that, that part was never part of what I
proposed. I'm only talking aobut parsing the syntax. The only external
calls in the code there now is the getaddrinfo calls to convert the IPs,
IIRC.

//Magnus