On 2/14/14, 10:14 AM, Andres Freund wrote:
>I was asking for use-cases so we could figure out what's the right thing;-)
>
>The argument about wanting to assemble a pg_hba file from separately
>managed configuration pieces seems to have some merit, but the weak
>spot there is how do you define the search order? Or are you planning
>to just cross your fingers and hope it doesn't matter too much?
The usual solution is to prepend a numeric prefix guaranteeing the
search order. 00 is sysadmin stuff, 10 replication, 20 database specific
or somesuch. I think most admins using automated tools to manage bigger
configuration files by using some .d config directory already know how
to deal with that problem.
Would the inclusion of the entire directory be done via a single #include (or
whatever syntax) directive in pg_hba.conf?
I think that's probably OK. But if we're talking about something like "hey, if
there's a pg_hba.d directory then magically slurp that in", that's far less useful
and a much bigger foot-gun. (It also wouldn't provide any value for what Jerry (the op)
needs).
To summarize, here's what I've seen on this discussion:
- People seem to generally be in favor of the idea of "includes", though it's not
completely clear if people want specific "include file X at this point in the ruleset" or
something more nebulous.
- It would be useful to have a mechanism for testing a pg_hba.conf file.
- It would also be useful for denied connections to log the actual line/file
that denied the connection.
- This would be a good GSoC project.
--
Jim C. Nasby, Data Architect j...@nasby.net
512.569.9461 (cell) http://jim.nasby.net
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
