Simon Riggs <simon@2ndQuadrant.com> writes:
> With code as currently, yes, though I see that there is a way to do
> this.
> Rules that have an "all" in the database field of the hba can be applied
> prior to attempting to select the database, as long as the "all" rule is
> above any database-specific rules.
Well, that's nice, but it's an awfully small subset of what the
pg_hba.conf rules might contain. In particular you can't do anything
that involves group membership checks without access to the catalogs;
and I think a large fraction of installations that are exposed to
untrustworthy connections will be using password auth for them, which
means they still need to connect to the catalogs to get the password.
Now it's possible that we could have a prefilter that rejects
connections if they're coming from an IP address that cannot match
*any* of the pg_hba.conf rules. Not sure how useful that would really
be in practice though. It wouldn't do anything extra for people who
keep their DB server behind a firewall.
regards, tom lane