On 08/10/2014 07:48 PM, Craig Ringer wrote:
> Hi all
>
> I just had an idea I wanted to run by you all before turning it into a
> patch.
>
> People seem to get confused when they get auth errors because they
> changed pg_hba.conf but didn't reload.
>
> Should we emit a HINT alongside the main auth error in that case?
>
> Given the amount of confusion that I see around pg_hba.conf from new
> users, I figure anything that makes it less confusing might be a good
> thing if there aren't other consequences.
>
> Interested in a patch?
Given the generally positive reception to this, here's a patch.
The first patch adds an errhint_log , akin to the current errdetail_log,
so we can send a different HINT to the server log than we do to the client.
(Even if DETAIL was appropriate for this info, which it isn't, I can't
use errdetail_log because it's already used for other information in
some of the same error sites.)
The second patch adds a test during errors to report if pg_hba.conf is
stale, or if pg_ident.conf is stale.
Typical output, client:
psql: FATAL: Peer authentication failed for user "fred"
HINT: See the server error log for additional information.
Typical output, server:
LOG: provided user name (fred) and authenticated user name (craig) do
not match
FATAL: Peer authentication failed for user "fred"
DETAIL: Connection matched pg_hba.conf line 84: "local all
all peer"
HINT: pg_hba.conf has been changed since last server configuration
reload. Reload the server configuration to apply the changes.
I've added this to the next CF.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services