From 7d2bfe07eb32e33ed61ee64ac5af774742f5be4f Mon Sep 17 00:00:00 2001 From: Amit Kapila Date: Wed, 17 Feb 2021 16:21:12 +0530 Subject: [PATCH v3] Improve the error message details for authentication failures. The authentication failure error messages weren't distinguishing whether it is a physical replication or logical replication connection failure and gives unclear information on what led to failure in case of logical replication connection failures. Add the errdetail to give appropriate information. Author: Paul Martinez, with changes by me Reviewed-by: Amit Kapila Discussion: https://postgr.es/m/CACqFVBYahrAi2OPdJfUA3YCvn3QMzzxZdw0ibSJ8wouWeDtiyQ@mail.gmail.com --- doc/src/sgml/client-auth.sgml | 5 ++++- src/backend/libpq/auth.c | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index c4b9971a20..2a859caac6 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -230,7 +230,10 @@ hostnogssenc database userreplication specifies that the record matches if a physical replication connection is requested (note that - replication connections do not specify any particular database). + replication connections do not specify any particular database); + it does not match logical replication connections, which specify + replication=database and a dbname + in their connection string. Otherwise, this is the name of a specific PostgreSQL database. Multiple database names can be supplied by separating them with diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 545635f41a..2314adb699 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -417,7 +417,7 @@ ClientAuthentication(Port *port) #endif _("no encryption"); - if (am_walsender) + if (am_walsender && !am_db_walsender) ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), /* translator: last %s describes encryption state */ @@ -431,7 +431,9 @@ ClientAuthentication(Port *port) errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - encryption_state))); + encryption_state), + am_db_walsender ? + errdetail("Logical replication connections do not match pg_hba.conf rules using the \"replication\" keyword.") : 0)); break; } @@ -463,7 +465,7 @@ ClientAuthentication(Port *port) #endif _("no encryption"); -#define HOSTNAME_LOOKUP_DETAIL(port) \ +#define HOSTNAME_LOOKUP_DETAIL_LOG(port) \ (port->remote_hostname ? \ (port->remote_hostname_resolv == +1 ? \ errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \ @@ -484,14 +486,14 @@ ClientAuthentication(Port *port) gai_strerror(port->remote_hostname_errcode)) : \ 0)) - if (am_walsender) + if (am_walsender && !am_db_walsender) ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), /* translator: last %s describes encryption state */ errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", hostinfo, port->user_name, encryption_state), - HOSTNAME_LOOKUP_DETAIL(port))); + HOSTNAME_LOOKUP_DETAIL_LOG(port))); else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), @@ -500,7 +502,9 @@ ClientAuthentication(Port *port) hostinfo, port->user_name, port->database_name, encryption_state), - HOSTNAME_LOOKUP_DETAIL(port))); + am_db_walsender ? + errdetail("Logical replication connections do not match pg_hba.conf rules using the \"replication\" keyword.") : 0, + HOSTNAME_LOOKUP_DETAIL_LOG(port))); break; } -- 2.28.0.windows.1