Thoughts on pg_hba.conf rejection
in [PgSql]
|
From: Simon Riggs on 19 Apr 2010 17:22 On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote: > Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to > connect to some database in order to proceed with auth checking". Why > is that necessary It's not, I just explained how to do it without. -- Simon Riggs www.2ndQuadrant.com -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Alvaro Herrera on 19 Apr 2010 17:47 Simon Riggs escribi�: > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote: > > > Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to > > connect to some database in order to proceed with auth checking". Why > > is that necessary > > It's not, I just explained how to do it without. You mean purely using pg_hba.conf "all" rules? That seems a bit unsatisfactory ... -- Alvaro Herrera http://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 19 Apr 2010 17:51 On Mon, Apr 19, 2010 at 5:12 PM, Alvaro Herrera <alvherre(a)commandprompt.com> wrote: > Robert Haas escribió: >> On Mon, Apr 19, 2010 at 5:04 PM, Alvaro Herrera >> <alvherre(a)commandprompt.com> wrote: >> > Robert Haas escribió: >> >> On Mon, Apr 19, 2010 at 4:30 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: >> > >> >> > The only way I can think of to improve that without going back to flat >> >> > files would be to develop a way for backends to switch databases after >> >> > initial startup, so that auth could be done in a predetermined database >> >> > (say, "postgres") before switching to the requested DB. This has enough >> >> > potential gotchas, in regards to catalog caching for instance, that I'm >> >> > not eager to go there. >> >> >> >> Would it be possible to set up a skeleton environment where we can >> >> access shared catalogs only and then decide on which database we're >> >> using later? >> > >> > Eh? We already do that ... In fact the autovac launcher is always >> > connected to shared catalogs, without being connected to any one >> > database in particular (cf. get_database_list) >> >> Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to >> connect to some database in order to proceed with auth checking". Why >> is that necessary, if we can access shared catalogs without it? > > Hmm, yeah, why did he say that? Maybe the order of operations during > startup is such that we only do auth checking after connecting to a > database for some reason. > > Whatever it is, I don't think a badly worded error message is enough > grounds for fooling with this at this time of release process, though. > To be discussed for 9.1? I'm not proposing to fix the issue right now; but I wanted to try to understand it while it's fresh in my mind. I'm still not seeing the issue for some reason. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 19 Apr 2010 17:52 On Mon, Apr 19, 2010 at 5:22 PM, Simon Riggs <simon(a)2ndquadrant.com> wrote: > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote: > >> Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to >> connect to some database in order to proceed with auth checking". Why >> is that necessary > > It's not, I just explained how to do it without. Your explanation seems to presuppose that we somehow can't process the database-specific rules before selecting a database. I don't understand why that would be the case. Why can't we just check all the rules and then, if we decide to allow the connection, select the database? ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Simon Riggs on 19 Apr 2010 18:03
On Mon, 2010-04-19 at 17:52 -0400, Robert Haas wrote: > On Mon, Apr 19, 2010 at 5:22 PM, Simon Riggs <simon(a)2ndquadrant.com> wrote: > > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote: > > > >> Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to > >> connect to some database in order to proceed with auth checking". Why > >> is that necessary > > > > It's not, I just explained how to do it without. > > Your explanation seems to presuppose that we somehow can't process the > database-specific rules before selecting a database. I don't > understand why that would be the case. Why can't we just check all > the rules and then, if we decide to allow the connection, select the > database? Some rules are user-specific, but I see that doesn't matter and you are right. We can process the whole pg_hba.conf to see if it returns reject or implicitreject before attempting to confirm the existence of any database or any user. Any other result must be implemented during ClientAuthentication(). So we may as well run the whole set of rules, work out which rule applies and then remember that for later use. Just as efficient, better security. -- Simon Riggs www.2ndQuadrant.com -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |