Re: BUG #8375: pg_hba.conf: Include_dir like in postgresql.conf

On Thu, Aug 8, 2013 at 2:39 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> hv@tbz-pariv.de writes:
>> For easier deployment it would be nice to have an include_dir directive in
>> pg_hba.conf.
>
> This doesn't seem like a remarkably good idea from here, mainly because
> entries in pg_hba.conf are critically order-dependent.  Dropping random
> entries into a conf.d-like directory could produce unexpected results
> --- and in this case, "unexpected result" probably means "security
> failure".

If they are random, yes. You could easliy define them as ordered
though, by strict alphabetical ordering etc.

It's still a pretty decently sized footgun for people though, and I'm
not sure how useful it would actually be. And with the risk of
misconfiguration being a security hole rather than a badly configured
database (which would be the problem with a simliar thing for
postgresql.conf).

Perhaps the OP has a specific usecase to share where this would
actually be both safe and useful?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/