On Mon, 2010-04-19 at 17:52 -0400, Robert Haas wrote: > On Mon, Apr 19, 2010 at 5:22 PM, Simon Riggs <si...@2ndquadrant.com> wrote: > > On Mon, 2010-04-19 at 17:08 -0400, Robert Haas wrote: > > > >> Oh. Then I'm confused. Tom said: "as of 9.0, it's necessary to > >> connect to some database in order to proceed with auth checking". Why > >> is that necessary > > > > It's not, I just explained how to do it without. > > Your explanation seems to presuppose that we somehow can't process the > database-specific rules before selecting a database. I don't > understand why that would be the case. Why can't we just check all > the rules and then, if we decide to allow the connection, select the > database?
Some rules are user-specific, but I see that doesn't matter and you are right. We can process the whole pg_hba.conf to see if it returns reject or implicitreject before attempting to confirm the existence of any database or any user. Any other result must be implemented during ClientAuthentication(). So we may as well run the whole set of rules, work out which rule applies and then remember that for later use. Just as efficient, better security. -- Simon Riggs www.2ndQuadrant.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
