Re: Regrading TODO item alerting pg_hba.conf from SQL

On Sun, Apr 16, 2006 at 01:08:36PM +0200, Gevik Babakhani wrote:
> Folks,
>
> I would like to start a discussion regarding the TODO item "%Allow
> pg_hba.conf settings to be controlled via SQL"

<snip>

> 1. What do we think about removing the pg_hba.conf functionality keeping
> the connection information in a table. This would mean no more
> pg_hba.conf and when something goes wrong with the table, pg has to be
> started in standalone mode to correct the errors.

Why does it have to be one or the other? While in-database is nice,
having it as a seperate file makes central administration easier
because you can just distribute files. You can also easily compare two
sites to see how the rules differ.

You also have to think about sites that perform maintainence. Currently
they just replace the file and SIGHUP. When the maintainence is
complete, put the file back and SIGHUP again. This is a feature hard to
replicate with in database stuff.

> 2. What do we think about the SQL command to be. Would it be like the
> following or another syntax.
>
> GRANT
>     CONNECTION [LOCAL | HOST | HOSTSSL | HOSTNOSSL ]
>     ON [ ALL | mydatabase1 ]
>     TO [ ALL | user1,user2,user3 ]
>     FROM 127.0.0.1/32
>     METHOD [ TRUST | REJECT | MD5 ...... ]

Apart from the complaint that this makes no attempt to take care of the
fact that entires in pg_hba.conf are order sensetive. Where is that
found in this syntax? What about pg_ident.conf?

> 3. Could someone clarify the design decisions regarding pg_hba.conf
> file? Why was it done the why it is today? (Tom? Bruce?)

Not sure if there was a design. It was created at some point and
evolved.

Now, to just suggest something I've been thinking of. Maybe a way of
thinking about it is similar to firewall chains in linux. You keep
pg_hba.conf but allow it to refer to a new auth type "chain blah". Then
you layer your above grant syntax into those chains. This allow people
to switch between different auth methods quickly by switching files,
while allowing people who want to do everything in the database can do
so too.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.