pg_hba_rules_4.patch
application/octet-stream
Filename: pg_hba_rules_4.patch
Type: application/octet-stream
Part: 1
Message:
Re: pg_hba_file_settings view patch
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: unified
| File | + | − |
|---|---|---|
| doc/src/sgml/catalogs.sgml | 138 | 0 |
| doc/src/sgml/client-auth.sgml | 7 | 0 |
| src/backend/catalog/system_views.sql | 6 | 0 |
| src/backend/libpq/hba.c | 746 | 57 |
| src/backend/postmaster/postmaster.c | 2 | 2 |
| src/backend/utils/init/postinit.c | 8 | 11 |
| src/include/catalog/pg_proc.h | 2 | 0 |
| src/include/libpq/hba.h | 13 | 1 |
| src/include/utils/builtins.h | 3 | 0 |
| src/test/regress/expected/rules.out | 14 | 0 |
| src/tools/pgindent/typedefs.list | 1 | 0 |
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index bac169a..f52d268 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -7335,6 +7335,11 @@
</row>
<row>
+ <entry><link linkend="view-pg-hba-rules"><structname>pg_hba_rules</structname></link></entry>
+ <entry>summary of client authentication configuration file contents</entry>
+ </row>
+
+ <row>
<entry><link linkend="view-pg-group"><structname>pg_group</structname></link></entry>
<entry>groups of database users</entry>
</row>
@@ -7873,6 +7878,139 @@
</sect1>
+ <sect1 id="view-pg-hba-rules">
+ <title><structname>pg_hba_rules</structname></title>
+
+ <indexterm zone="view-pg-hba-rules">
+ <primary>pg_hba_rules</primary>
+ </indexterm>
+
+ <para>
+ The view <structname>pg_hba_rules</structname> provides a summary of
+ the contents of the client authentication configuration file. A row
+ appears in this view for each entry appearing in the file, with annotations
+ indicating whether the rule could be applied successfully.
+ </para>
+
+ <para>
+ The <structname>pg_hba_rules</structname> view can be read only by
+ superusers.
+ </para>
+
+ <table>
+ <title><structname>pg_hba_rules</> Columns</title>
+
+ <tgroup cols="3">
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Type</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><structfield>line_number</structfield></entry>
+ <entry><structfield>integer</structfield></entry>
+ <entry>
+ Line number within client authentication configuration file
+ the current value was set at
+ </entry>
+ </row>
+ <row>
+ <entry><structfield>type</structfield></entry>
+ <entry><structfield>text</structfield></entry>
+ <entry>Type of connection</entry>
+ </row>
+ <row>
+ <entry><structfield>keyword_database</structfield></entry>
+ <entry><structfield>text[]</structfield></entry>
+ <entry>
+ List of keyword database names,
+ name can be all, sameuser, samerole, replication and samegroup
+ </entry>
+ </row>
+ <row>
+ <entry><structfield>database</structfield></entry>
+ <entry><structfield>text[]</structfield></entry>
+ <entry>List of database name</entry>
+ </row>
+ <row>
+ <entry><structfield>keyword_user</structfield></entry>
+ <entry><structfield>text[]</structfield></entry>
+ <entry>
+ List of keyword user names,
+ name can be all and a group name prefixed with "+"
+ </entry>
+ </row>
+ <row>
+ <entry><structfield>user_name</structfield></entry>
+ <entry><structfield>text[]</structfield></entry>
+ <entry>List of user names</entry>
+ </row>
+ <row>
+ <entry><structfield>keyword_address</structfield></entry>
+ <entry><structfield>text</structfield></entry>
+ <entry>
+ List of keyword address names,
+ name can be all, samehost and samenet
+ </entry>
+ </row>
+ <row>
+ <entry><structfield>address</structfield></entry>
+ <entry><structfield>inet</structfield></entry>
+ <entry>Client machine address</entry>
+ </row>
+ <row>
+ <entry><structfield>netmask</structfield></entry>
+ <entry><structfield>inet</structfield></entry>
+ <entry>Address mask</entry>
+ </row>
+ <row>
+ <entry><structfield>hostname</structfield></entry>
+ <entry><type>text</type></entry>
+ <entry>Client host name</entry>
+ </row>
+ <row>
+ <entry><structfield>method</structfield></entry>
+ <entry><type>text</type></entry>
+ <entry>Authentication method</entry>
+ </row>
+ <row>
+ <entry><structfield>options</structfield></entry>
+ <entry><type>text[]</type></entry>
+ <entry>Configuration options set for authentication method</entry>
+ </row>
+ <row>
+ <entry><structfield>error</structfield></entry>
+ <entry><structfield>text</structfield></entry>
+ <entry>If not null, an error message indicating why this entry could not be applied</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ If the configuration file contains any errors, <structfield>error</structfield> field
+ indicating the problem. Following is the sample output of the view.
+ </para>
+
+<programlisting>
+postgres=# select * from pg_hba_rules;
+ line_number | type | keyword_database | database | keyword_user | user_name | keyword_address | address | netmask | hostname | method | options | error
+-------------+-------+------------------+----------+--------------+-----------+-----------------+-----------+-----------------------------------------+----------+--------+---------+-------
+ 84 | local | {all} | | {all} | | | | | | trust | |
+ 86 | host | {all} | | {all} | | | 127.0.0.1 | 255.255.255.255 | | trust | |
+ 88 | host | {all} | | {all} | | | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | | trust | |
+(3 rows)
+
+</programlisting>
+ <para>
+ See <xref linkend="client-authentication"> for more information about the various
+ ways to change client authentication configuration.
+ </para>
+ </sect1>
+
<sect1 id="view-pg-group">
<title><structname>pg_group</structname></title>
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 960f5b5..798956a 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -54,6 +54,13 @@
database user names and OS user names.
</para>
+ <para>
+ The system view
+ <link linkend="view-pg-hba-rules"><structname>pg_hba_rules</structname></link>
+ can be helpful for pre-testing changes to the client authentication configuration file, or for
+ diagnosing problems if a <systemitem>SIGHUP</> signal did not have the desired effects.
+ </para>
+
<sect1 id="auth-pg-hba-conf">
<title>The <filename>pg_hba.conf</filename> File</title>
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index ada2142..3c79a57 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -427,6 +427,12 @@ CREATE VIEW pg_file_settings AS
REVOKE ALL on pg_file_settings FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION pg_show_all_file_settings() FROM PUBLIC;
+CREATE VIEW pg_hba_rules AS
+ SELECT * FROM pg_hba_rules() AS A;
+
+REVOKE ALL on pg_hba_rules FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_hba_rules() FROM PUBLIC;
+
CREATE VIEW pg_timezone_abbrevs AS
SELECT * FROM pg_timezone_abbrevs();
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index f1e9a38..de12ea2 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -25,15 +25,21 @@
#include <arpa/inet.h>
#include <unistd.h>
+#include "access/htup_details.h"
+#include "catalog/objectaddress.h"
#include "catalog/pg_collation.h"
+#include "catalog/pg_type.h"
#include "common/ip.h"
+#include "funcapi.h"
#include "libpq/ifaddr.h"
#include "libpq/libpq.h"
+#include "miscadmin.h"
#include "postmaster/postmaster.h"
#include "regex/regex.h"
#include "replication/walsender.h"
#include "storage/fd.h"
#include "utils/acl.h"
+#include "utils/builtins.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
@@ -75,6 +81,15 @@ typedef struct HbaToken
bool quoted;
} HbaToken;
+
+/* Context to use with lookup_hba_line_callback function. */
+typedef struct LookupHbaLineCxt
+{
+ MemoryContext memcxt;
+ TupleDesc tupdesc;
+ Tuplestorestate *tuple_store;
+} LookupHbaLineCxt;
+
/*
* pre-parsed content of HBA config file: list of HbaLine structs.
* parsed_hba_context is the memory context where it lives.
@@ -99,7 +114,11 @@ static MemoryContext tokenize_file(const char *filename, FILE *file,
static List *tokenize_inc_file(List *tokens, const char *outer_filename,
const char *inc_filename);
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
- int line_num);
+ int line_num, int level, char **err_msg);
+static Datum getauthmethod(UserAuth auth_method);
+static Datum gethba_options(HbaLine *hba);
+static void lookup_hba_line_callback(void *context, int lineno, HbaLine *hba, const char *err_msg);
+static bool token_is_a_database_keyword(HbaToken *tok);
/*
* isblank() exists in the ISO C99 spec, but it's not very portable yet,
@@ -748,13 +767,15 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
* reporting error if it's not.
*/
#define INVALID_AUTH_OPTION(optname, validmethods) do {\
- ereport(LOG, \
+ ereport(level, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
+ *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
+ optname, _(validmethods)); \
return false; \
} while (0);
@@ -765,12 +786,14 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
#define MANDATORY_AUTH_ARG(argvar, argname, authname) do {\
if (argvar == NULL) {\
- ereport(LOG, \
+ ereport(level, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
+ *err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
+ authname, argname); \
return NULL; \
} \
} while (0);
@@ -818,7 +841,7 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
* NULL.
*/
static HbaLine *
-parse_hba_line(List *line, int line_num, char *raw_line)
+parse_hba_line(List *line, int line_num, char *raw_line, int level, char **err_msg)
{
char *str;
struct addrinfo *gai_result;
@@ -841,12 +864,13 @@ parse_hba_line(List *line, int line_num, char *raw_line)
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for connection type"),
errhint("Specify exactly one connection type per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("multiple values specified for connection type"));
return NULL;
}
token = linitial(tokens);
@@ -855,11 +879,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#ifdef HAVE_UNIX_SOCKETS
parsedline->conntype = ctLocal;
#else
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("local connections are not supported by this build"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("local connections are not supported by this build"));
return NULL;
#endif
}
@@ -876,21 +901,23 @@ parse_hba_line(List *line, int line_num, char *raw_line)
parsedline->conntype = ctHostSSL;
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl requires SSL to be turned on"),
errhint("Set ssl = on in postgresql.conf."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("hostssl requires SSL to be turned on"));
return NULL;
}
#else
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl is not supported by this build"),
errhint("Compile with --with-openssl to use SSL connections."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("hostssl is not supported by this build"));
return NULL;
#endif
}
@@ -906,12 +933,13 @@ parse_hba_line(List *line, int line_num, char *raw_line)
} /* record type */
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid connection type \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("invalid connection type"));
return NULL;
}
@@ -919,11 +947,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before database specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("end-of-line before database specification"));
return NULL;
}
parsedline->databases = NIL;
@@ -938,11 +967,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before role specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("end-of-line before role specification"));
return NULL;
}
parsedline->roles = NIL;
@@ -959,22 +989,24 @@ parse_hba_line(List *line, int line_num, char *raw_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before IP address specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("end-of-line before IP address specification"));
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for host address"),
errhint("Specify one address range per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("multiple values specified for host address"));
return NULL;
}
token = linitial(tokens);
@@ -1024,7 +1056,7 @@ parse_hba_line(List *line, int line_num, char *raw_line)
parsedline->hostname = str;
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid IP address \"%s\": %s",
str, gai_strerror(ret)),
@@ -1032,6 +1064,7 @@ parse_hba_line(List *line, int line_num, char *raw_line)
line_num, HbaFileName)));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
+ *err_msg = pstrdup(_("invalid IP address"));
return NULL;
}
@@ -1042,24 +1075,26 @@ parse_hba_line(List *line, int line_num, char *raw_line)
{
if (parsedline->hostname)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("specifying both host name and CIDR mask is invalid: \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("specifying both host name and CIDR mask is invalid"));
return NULL;
}
if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
parsedline->addr.ss_family) < 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid CIDR mask in address \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("invalid CIDR mask in address"));
return NULL;
}
pfree(str);
@@ -1071,22 +1106,24 @@ parse_hba_line(List *line, int line_num, char *raw_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before netmask specification"),
errhint("Specify an address range in CIDR notation, or provide a separate netmask."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("end-of-line before netmask specification"));
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for netmask"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("multiple values specified for netmask"));
return NULL;
}
token = linitial(tokens);
@@ -1095,7 +1132,7 @@ parse_hba_line(List *line, int line_num, char *raw_line)
&hints, &gai_result);
if (ret || !gai_result)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid IP mask \"%s\": %s",
token->string, gai_strerror(ret)),
@@ -1103,6 +1140,7 @@ parse_hba_line(List *line, int line_num, char *raw_line)
line_num, HbaFileName)));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
+ *err_msg = pstrdup(_("invalid IP mask"));
return NULL;
}
@@ -1112,11 +1150,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
if (parsedline->addr.ss_family != parsedline->mask.ss_family)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("IP address and mask do not match"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("IP address and mask do not match"));
return NULL;
}
}
@@ -1127,22 +1166,24 @@ parse_hba_line(List *line, int line_num, char *raw_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before authentication method"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("end-of-line before authentication method"));
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for authentication type"),
errhint("Specify exactly one authentication type per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("multiple values specified for authentication type"));
return NULL;
}
token = linitial(tokens);
@@ -1174,11 +1215,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
{
if (Db_user_namespace)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("MD5 authentication is not supported when \"db_user_namespace\" is enabled"));
return NULL;
}
parsedline->auth_method = uaMD5;
@@ -1211,23 +1253,25 @@ parse_hba_line(List *line, int line_num, char *raw_line)
parsedline->auth_method = uaRADIUS;
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid authentication method \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("invalid authentication method"));
return NULL;
}
if (unsupauth)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid authentication method \"%s\": not supported by this build",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("invalid authentication method, not supported by this build"));
return NULL;
}
@@ -1243,22 +1287,24 @@ parse_hba_line(List *line, int line_num, char *raw_line)
if (parsedline->conntype == ctLocal &&
parsedline->auth_method == uaGSS)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("gssapi authentication is not supported on local sockets"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("gssapi authentication is not supported on local sockets"));
return NULL;
}
if (parsedline->conntype != ctLocal &&
parsedline->auth_method == uaPeer)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("peer authentication is only supported on local sockets"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("peer authentication is only supported on local sockets"));
return NULL;
}
@@ -1271,11 +1317,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
if (parsedline->conntype != ctHostSSL &&
parsedline->auth_method == uaCert)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("cert authentication is only supported on hostssl connections"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("cert authentication is only supported on hostssl connections"));
return NULL;
}
@@ -1320,16 +1367,17 @@ parse_hba_line(List *line, int line_num, char *raw_line)
/*
* Got something that's not a name=value pair.
*/
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication option not in name=value format: %s", token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("authentication option not in name=value format"));
return NULL;
}
*val++ = '\0'; /* str now holds "name", val holds "value" */
- if (!parse_hba_auth_opt(str, val, parsedline, line_num))
+ if (!parse_hba_auth_opt(str, val, parsedline, line_num, level, err_msg))
/* parse_hba_auth_opt already logged the error message */
return NULL;
pfree(str);
@@ -1357,21 +1405,23 @@ parse_hba_line(List *line, int line_num, char *raw_line)
parsedline->ldapbindpasswd ||
parsedline->ldapsearchattribute)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix"));
return NULL;
}
}
else if (!parsedline->ldapbasedn)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"));
return NULL;
}
}
@@ -1399,7 +1449,7 @@ parse_hba_line(List *line, int line_num, char *raw_line)
* encounter an error.
*/
static bool
-parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
+parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num, int level, char **err_msg)
{
#ifdef USE_LDAP
hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
@@ -1423,23 +1473,25 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
*/
if (hbaline->conntype != ctHostSSL)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("clientcert can only be configured for \"hostssl\" rows"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("clientcert can only be configured for \"hostssl\" rows"));
return false;
}
if (strcmp(val, "1") == 0)
{
if (!secure_loaded_verify_locations())
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("client certificates can only be checked if a root certificate store is available"),
errhint("Make sure the configuration parameter \"%s\" is set.", "ssl_ca_file"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("client certificates can only be checked if a root certificate store is available"));
return false;
}
hbaline->clientcert = true;
@@ -1448,11 +1500,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
{
if (hbaline->auth_method == uaCert)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("clientcert can not be set to 0 when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = pstrdup(_("clientcert can not be set to 0 when using \"cert\" authentication"));
return false;
}
hbaline->clientcert = false;
@@ -1484,18 +1537,21 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
rc = ldap_url_parse(val, &urldata);
if (rc != LDAP_SUCCESS)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not parse LDAP URL \"%s\": %s", val, ldap_err2string(rc))));
+ *err_msg = psprintf("could not parse LDAP URL \"%s\": %s", val, ldap_err2string(rc));
return false;
}
if (strcmp(urldata->lud_scheme, "ldap") != 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
+ *err_msg = psprintf("unsupported LDAP URL scheme: %s", urldata->lud_scheme);
ldap_free_urldesc(urldata);
+
return false;
}
@@ -1508,17 +1564,19 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapscope = urldata->lud_scope;
if (urldata->lud_filter)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("filters not supported in LDAP URLs")));
+ *err_msg = pstrdup(_("filters not supported in LDAP URLs"));
ldap_free_urldesc(urldata);
return false;
}
ldap_free_urldesc(urldata);
#else /* not OpenLDAP */
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("LDAP URLs not supported on this platform")));
+ *err_msg = pstrdup(_("LDAP URLs not supported on this platform"));
#endif /* not OpenLDAP */
}
else if (strcmp(name, "ldaptls") == 0)
@@ -1540,11 +1598,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapport = atoi(val);
if (hbaline->ldapport == 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid LDAP port number: \"%s\"", val),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("invalid LDAP port number: \"%s\"", val);
return false;
}
}
@@ -1628,12 +1687,14 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
ret = pg_getaddrinfo_all(val, NULL, &hints, &gai_result);
if (ret || !gai_result)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not translate RADIUS server name \"%s\" to address: %s",
val, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("could not translate RADIUS server name \"%s\" to address: %s",
+ val, gai_strerror(ret));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return false;
@@ -1647,11 +1708,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->radiusport = atoi(val);
if (hbaline->radiusport == 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid RADIUS port number: \"%s\"", val),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("invalid RADIUS port number: \"%s\"", val);
return false;
}
}
@@ -1667,12 +1729,14 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
}
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unrecognized authentication option name: \"%s\"",
name),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("unrecognized authentication option name: \"%s\"",
+ name);
return false;
}
return true;
@@ -1784,7 +1848,7 @@ check_hba(hbaPort *port)
* with the old data.
*/
bool
-load_hba(void)
+load_hba(hba_line_callback callback, void *callback_context)
{
FILE *file;
List *hba_lines = NIL;
@@ -1798,6 +1862,8 @@ load_hba(void)
MemoryContext linecxt;
MemoryContext oldcxt;
MemoryContext hbacxt;
+ char *err_msg = NULL;
+ int log_level = LOG;
file = AllocateFile(HbaFileName, "r");
if (file == NULL)
@@ -1812,18 +1878,24 @@ load_hba(void)
linecxt = tokenize_file(HbaFileName, file, &hba_lines, &hba_line_nums, &hba_raw_lines);
FreeFile(file);
+ if (callback)
+ log_level = DEBUG3;
+
/* Now parse all the lines */
- Assert(PostmasterContext);
- hbacxt = AllocSetContextCreate(PostmasterContext,
+ hbacxt = AllocSetContextCreate(CurrentMemoryContext,
"hba parser context",
ALLOCSET_SMALL_SIZES);
oldcxt = MemoryContextSwitchTo(hbacxt);
forthree(line, hba_lines, line_num, hba_line_nums, raw_line, hba_raw_lines)
{
HbaLine *newline;
+ int lineno = lfirst_int(line_num);
- if ((newline = parse_hba_line(lfirst(line), lfirst_int(line_num), lfirst(raw_line))) == NULL)
+ if ((newline = parse_hba_line(lfirst(line), lineno, lfirst(raw_line), log_level, &err_msg)) == NULL)
{
+ if (callback)
+ callback(callback_context, lineno, newline, err_msg);
+
/*
* Parse error in the file, so indicate there's a problem. NB: a
* problem in a line will free the memory for all previous lines
@@ -1841,10 +1913,24 @@ load_hba(void)
continue;
}
+ if (callback)
+ callback(callback_context, lineno, newline, NULL);
new_parsed_lines = lappend(new_parsed_lines, newline);
}
/*
+ * If callback function is available, then don't update the saved
+ * authentication rules.
+ */
+ if (callback)
+ {
+ MemoryContextDelete(linecxt);
+ MemoryContextSwitchTo(oldcxt);
+ MemoryContextDelete(hbacxt);
+ return true;
+ }
+
+ /*
* A valid HBA file must have at least one entry; else there's no way to
* connect to the postmaster. But only complain about this if we didn't
* already have parsing errors.
@@ -1870,14 +1956,25 @@ load_hba(void)
}
/* Loaded new file successfully, replace the one we use */
- if (parsed_hba_context != NULL)
- MemoryContextDelete(parsed_hba_context);
+ discard_hba();
parsed_hba_context = hbacxt;
parsed_hba_lines = new_parsed_lines;
return true;
}
+void
+discard_hba(void)
+{
+ if (parsed_hba_context != NULL)
+ {
+ MemoryContextDelete(parsed_hba_context);
+ parsed_hba_context = NULL;
+ parsed_hba_lines = NIL;
+ }
+}
+
+
/*
* Parse one tokenised line from the ident config file and store the result in
* an IdentLine structure, or NULL if parsing fails.
@@ -2189,8 +2286,7 @@ load_ident(void)
FreeFile(file);
/* Now parse all the lines */
- Assert(PostmasterContext);
- ident_context = AllocSetContextCreate(PostmasterContext,
+ ident_context = AllocSetContextCreate(CurrentMemoryContext,
"ident parser context",
ALLOCSET_SMALL_SIZES);
oldcxt = MemoryContextSwitchTo(ident_context);
@@ -2241,6 +2337,19 @@ load_ident(void)
}
/* Loaded new file successfully, replace the one we use */
+ discard_ident();
+ parsed_ident_context = ident_context;
+ parsed_ident_lines = new_parsed_lines;
+
+ return true;
+}
+
+void
+discard_ident(void)
+{
+ ListCell *parsed_line_cell;
+ IdentLine *newline;
+
if (parsed_ident_lines != NIL)
{
foreach(parsed_line_cell, parsed_ident_lines)
@@ -2249,14 +2358,15 @@ load_ident(void)
if (newline->ident_user[0] == '/')
pg_regfree(&newline->re);
}
+
+ parsed_ident_lines = NIL;
}
+
if (parsed_ident_context != NULL)
+ {
MemoryContextDelete(parsed_ident_context);
-
- parsed_ident_context = ident_context;
- parsed_ident_lines = new_parsed_lines;
-
- return true;
+ parsed_ident_context = NULL;
+ }
}
@@ -2274,3 +2384,582 @@ hba_getauthmethod(hbaPort *port)
{
check_hba(port);
}
+
+/*
+ * Returns the Text Datum representation of authentication method
+ */
+static Datum
+getauthmethod(UserAuth auth_method)
+{
+ Datum result;
+
+ switch (auth_method)
+ {
+ case uaReject:
+ result = CStringGetTextDatum("reject");
+ break;
+ case uaTrust:
+ result = CStringGetTextDatum("trust");
+ break;
+ case uaIdent:
+ result = CStringGetTextDatum("ident");
+ break;
+ case uaPassword:
+ result = CStringGetTextDatum("password");
+ break;
+ case uaMD5:
+ result = CStringGetTextDatum("md5");
+ break;
+ case uaGSS:
+ result = CStringGetTextDatum("gss");
+ break;
+ case uaSSPI:
+ result = CStringGetTextDatum("sspi");
+ break;
+ case uaPAM:
+ result = CStringGetTextDatum("pam");
+ break;
+ case uaLDAP:
+ result = CStringGetTextDatum("ldap");
+ break;
+ case uaCert:
+ result = CStringGetTextDatum("cert");
+ break;
+ case uaRADIUS:
+ result = CStringGetTextDatum("radius");
+ break;
+ case uaPeer:
+ result = CStringGetTextDatum("peer");
+ break;
+ default:
+ elog(ERROR, "unexpected authentication method in parsed HBA entry");
+ break;
+ }
+
+ return result;
+}
+
+/* LDAP supports 10 currently, keep this well above the most any method needs */
+#define MAX_OPTIONS 12
+
+static Datum
+gethba_options(HbaLine *hba)
+{
+ StringInfoData str;
+ int noptions;
+ Datum options[MAX_OPTIONS];
+ char buffer[64];
+
+ noptions = 0;
+
+ if (hba->auth_method == uaGSS || hba->auth_method == uaSSPI)
+ {
+ if (hba->include_realm)
+ options[noptions++] = CStringGetTextDatum("include_realm=true");
+
+ if (hba->krb_realm)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "krb_realm=");
+ appendStringInfoString(&str, hba->krb_realm);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+ }
+
+ if (hba->usermap)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "map=");
+ appendStringInfoString(&str, hba->usermap);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->clientcert)
+ options[noptions++] = CStringGetTextDatum("clientcert=true");
+
+ if (hba->pamservice)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "pamservice=");
+ appendStringInfoString(&str, hba->pamservice);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->auth_method == uaLDAP)
+ {
+ if (hba->ldapserver)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapserver=");
+ appendStringInfoString(&str, hba->ldapserver);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapport)
+ {
+ initStringInfo(&str);
+ snprintf(buffer, sizeof(buffer), "%d", hba->ldapport);
+ appendStringInfoString(&str, "ldapport=");
+ appendStringInfoString(&str, buffer);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldaptls)
+ options[noptions++] = CStringGetTextDatum("ldaptls=true");
+
+ if (hba->ldapprefix)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapprefix=");
+ appendStringInfoString(&str, hba->ldapprefix);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapsuffix)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapsuffix=");
+ appendStringInfoString(&str, hba->ldapsuffix);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapbasedn)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapbasedn=");
+ appendStringInfoString(&str, hba->ldapbasedn);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapbinddn)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapbinddn=");
+ appendStringInfoString(&str, hba->ldapbinddn);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapbindpasswd)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapbindpasswd=");
+ appendStringInfoString(&str, hba->ldapbindpasswd);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapsearchattribute)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "ldapsearchattribute=");
+ appendStringInfoString(&str, hba->ldapsearchattribute);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->ldapscope)
+ {
+ initStringInfo(&str);
+ snprintf(buffer, sizeof(buffer), "%d", hba->ldapscope);
+ appendStringInfoString(&str, "ldapscope=");
+ appendStringInfoString(&str, buffer);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+ }
+
+ if (hba->auth_method == uaRADIUS)
+ {
+ if (hba->radiusserver)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "radiusserver=");
+ appendStringInfoString(&str, hba->radiusserver);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->radiussecret)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "radiussecret=");
+ appendStringInfoString(&str, hba->radiussecret);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->radiusidentifier)
+ {
+ initStringInfo(&str);
+ appendStringInfoString(&str, "radiusidentifier=");
+ appendStringInfoString(&str, hba->radiusidentifier);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+
+ if (hba->radiusport)
+ {
+ initStringInfo(&str);
+ snprintf(buffer, sizeof(buffer), "%d", hba->radiusport);
+ appendStringInfoString(&str, "radiusport=");
+ appendStringInfoString(&str, buffer);
+ options[noptions++] = CStringGetTextDatum(str.data);
+ }
+ }
+
+ Assert(noptions <= MAX_OPTIONS);
+ if (noptions)
+ return PointerGetDatum(
+ construct_array(options, noptions, TEXTOID, -1, false, 'i'));
+ return PointerGetDatum(NULL);
+}
+
+static bool
+token_is_a_database_keyword(HbaToken *tok)
+{
+ if (token_is_keyword(tok, "replication")
+ || token_is_keyword(tok, "all")
+ || token_is_keyword(tok, "sameuser")
+ || token_is_keyword(tok, "samegroup")
+ || token_is_keyword(tok, "samerole"))
+ return true;
+ return false;
+}
+
+#define NUM_PG_HBA_LOOKUP_ATTS 13
+
+static void
+lookup_hba_line_callback(void *context, int lineno, HbaLine *hba, const char *err_msg)
+{
+ Datum values[NUM_PG_HBA_LOOKUP_ATTS];
+ bool nulls[NUM_PG_HBA_LOOKUP_ATTS];
+ ListCell *dbcell;
+ char buffer[NI_MAXHOST];
+ HeapTuple tuple;
+ int index;
+ Datum options;
+ MemoryContext old_cxt;
+ LookupHbaLineCxt *mycxt;
+
+ mycxt = (LookupHbaLineCxt *) context;
+
+ index = 0;
+ memset(values, 0, sizeof(values));
+ memset(nulls, 0, sizeof(nulls));
+
+ old_cxt = MemoryContextSwitchTo(mycxt->memcxt);
+
+ /* line_number */
+ values[index] = Int32GetDatum(lineno);
+
+ if (err_msg)
+ {
+ /* type */
+ index++;
+ nulls[index] = true;
+
+ /* keyword_database */
+ index++;
+ nulls[index] = true;
+
+ /* database */
+ index++;
+ nulls[index] = true;
+
+ /* keyword_user */
+ index++;
+ nulls[index] = true;
+
+ /* user */
+ index++;
+ nulls[index] = true;
+
+ /* keyword_address */
+ index++;
+ nulls[index] = true;
+
+ /* address */
+ index++;
+ nulls[index] = true;
+
+ /* netmask */
+ index++;
+ nulls[index] = true;
+
+ /* hostname */
+ index++;
+ nulls[index] = true;
+
+ /* method */
+ index++;
+ nulls[index] = true;
+
+ /* options */
+ index++;
+ nulls[index] = true;
+
+ /* error */
+ index++;
+ values[index] = CStringGetTextDatum(err_msg);
+ }
+ else
+ {
+ /* type */
+ index++;
+ switch (hba->conntype)
+ {
+ case ctLocal:
+ values[index] = CStringGetTextDatum("local");
+ break;
+ case ctHost:
+ values[index] = CStringGetTextDatum("host");
+ break;
+ case ctHostSSL:
+ values[index] = CStringGetTextDatum("hostssl");
+ break;
+ case ctHostNoSSL:
+ values[index] = CStringGetTextDatum("hostnossl");
+ break;
+ default:
+ elog(ERROR, "unexpected connection type in parsed HBA entry");
+ break;
+ }
+
+ /* keyword_database and database */
+ index++;
+ if (list_length(hba->databases) != 0)
+ {
+ List *names = NULL;
+ List *keyword_names = NULL;
+ HbaToken *tok;
+
+ foreach(dbcell, hba->databases)
+ {
+ tok = lfirst(dbcell);
+ if (token_is_a_database_keyword(tok))
+ keyword_names = lappend(keyword_names, tok->string);
+ else
+ names = lappend(names, tok->string);
+ }
+
+ /* keyword_database */
+ if (keyword_names != NULL)
+ values[index] = PointerGetDatum(strlist_to_textarray(keyword_names));
+ else
+ nulls[index] = true;
+
+ /* database */
+ index++;
+ if (names != NULL)
+ values[index] = PointerGetDatum(strlist_to_textarray(names));
+ else
+ nulls[index] = true;
+ }
+ else
+ {
+ nulls[index] = true;
+ index++;
+ nulls[index] = true;
+ }
+
+ /* keyword_user and user */
+ index++;
+ if (list_length(hba->roles) != 0)
+ {
+ List *roles = NULL;
+ List *keyword_roles = NULL;
+ HbaToken *tok;
+
+ foreach(dbcell, hba->roles)
+ {
+ tok = lfirst(dbcell);
+ if (token_is_keyword(tok, "all"))
+ keyword_roles = lappend(keyword_roles, tok->string);
+ else
+ roles = lappend(roles, tok->string);
+ }
+
+ /* keyword_user */
+ if (keyword_roles != NULL)
+ values[index] = PointerGetDatum(strlist_to_textarray(keyword_roles));
+ else
+ nulls[index] = true;
+
+ /* user */
+ index++;
+ if (roles != NULL)
+ values[index] = PointerGetDatum(strlist_to_textarray(roles));
+ else
+ nulls[index] = true;
+ }
+ else
+ {
+ nulls[index] = true;
+ index++;
+ nulls[index] = true;
+ }
+
+ /* keyword_address */
+ index++;
+ switch (hba->ip_cmp_method)
+ {
+ case ipCmpAll:
+ values[index] = CStringGetTextDatum("all");
+ break;
+ case ipCmpSameHost:
+ values[index] = CStringGetTextDatum("samehost");
+ break;
+ case ipCmpSameNet:
+ values[index] = CStringGetTextDatum("samenet");
+ break;
+ default:
+ nulls[index] = true;
+ break;
+ }
+
+ /* address */
+ index++;
+ if (pg_getnameinfo_all(&hba->addr, sizeof(struct sockaddr_storage),
+ buffer, sizeof(buffer),
+ NULL, 0,
+ NI_NUMERICHOST) == 0)
+ {
+ clean_ipv6_addr(hba->addr.ss_family, buffer);
+ values[index] = DirectFunctionCall1(inet_in, CStringGetDatum(buffer));
+ }
+ else
+ nulls[index] = true;
+
+ /* netmask */
+ index++;
+ if (pg_getnameinfo_all(&hba->mask, sizeof(struct sockaddr_storage),
+ buffer, sizeof(buffer),
+ NULL, 0,
+ NI_NUMERICHOST) == 0)
+ {
+ clean_ipv6_addr(hba->mask.ss_family, buffer);
+ values[index] = DirectFunctionCall1(inet_in, CStringGetDatum(buffer));
+ }
+ else
+ nulls[index] = true;
+
+ /* hostname */
+ index++;
+ if (hba->hostname)
+ values[index] = CStringGetTextDatum(hba->hostname);
+ else
+ nulls[index] = true;
+
+ /* method */
+ index++;
+ values[index] = getauthmethod(hba->auth_method);
+
+ /* options */
+ index++;
+ options = gethba_options(hba);
+ if (options)
+ values[index] = PointerGetDatum(options);
+ else
+ nulls[index] = true;
+
+ /* error */
+ index++;
+ nulls[index] = true;
+ }
+
+ tuple = heap_form_tuple(mycxt->tupdesc, values, nulls);
+ tuplestore_puttuple(mycxt->tuple_store, tuple);
+
+ MemoryContextSwitchTo(old_cxt);
+ return;
+}
+
+
+/*
+ * SQL-accessible SRF to return all the settings from the pg_hba.conf
+ * file.
+ */
+Datum
+hba_rules(PG_FUNCTION_ARGS)
+{
+ Tuplestorestate *tuple_store;
+ TupleDesc tupdesc;
+ MemoryContext old_cxt;
+ LookupHbaLineCxt *mycxt;
+ ReturnSetInfo *rsi;
+
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ (errmsg("must be superuser to view pg_hba.conf settings"))));
+
+ /*
+ * We must use the Materialize mode to be safe against HBA file reloads
+ * while the cursor is open. It's also more efficient than having to look
+ * up our current position in the parsed list every time.
+ */
+ rsi = (ReturnSetInfo *) fcinfo->resultinfo;
+
+ if (!rsi || !IsA(rsi, ReturnSetInfo) ||
+ (rsi->allowedModes & SFRM_Materialize) == 0)
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("set-valued function called in context that cannot accept a set")));
+
+ rsi->returnMode = SFRM_Materialize;
+
+ /*
+ * Create the tupledesc and tuplestore in the per_query context as
+ * required for SFRM_Materialize.
+ */
+ old_cxt = MemoryContextSwitchTo(rsi->econtext->ecxt_per_query_memory);
+
+ tupdesc = CreateTemplateTupleDesc(NUM_PG_HBA_LOOKUP_ATTS, false);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 1, "line_number",
+ INT4OID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 2, "type",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 3, "keyword_database",
+ TEXTARRAYOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 4, "database",
+ TEXTARRAYOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 5, "keyword_user",
+ TEXTARRAYOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 6, "user_name",
+ TEXTARRAYOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 7, "keyword_address",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 8, "address",
+ INETOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 9, "netmask",
+ INETOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 10, "hostname",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 11, "method",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 12, "options",
+ TEXTARRAYOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 13, "error",
+ TEXTOID, -1, 0);
+ BlessTupleDesc(tupdesc);
+
+ tuple_store =
+ tuplestore_begin_heap(rsi->allowedModes & SFRM_Materialize_Random,
+ false, work_mem);
+
+ MemoryContextSwitchTo(old_cxt);
+
+ mycxt = (LookupHbaLineCxt *) palloc(sizeof(LookupHbaLineCxt));
+ mycxt->memcxt = AllocSetContextCreate(CurrentMemoryContext,
+ "pg_hba_lookup tuple cxt",
+ ALLOCSET_DEFAULT_SIZES);
+ mycxt->tupdesc = tupdesc;
+ mycxt->tuple_store = tuple_store;
+
+ if (!load_hba(lookup_hba_line_callback, mycxt))
+ ereport(ERROR,
+ (errmsg("failed to load pg_hba.conf file"),
+ errhint("more details may be available in the server log.")));
+
+ MemoryContextDelete(mycxt->memcxt);
+ pfree(mycxt);
+
+ rsi->setDesc = tupdesc;
+ rsi->setResult = tuple_store;
+
+ PG_RETURN_NULL();
+}
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 24add74..3630f07 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -1251,7 +1251,7 @@ PostmasterMain(int argc, char *argv[])
/*
* Load configuration files for client authentication.
*/
- if (!load_hba())
+ if (!load_hba(NULL, NULL))
{
/*
* It makes no sense to continue if we fail to load the HBA file,
@@ -2503,7 +2503,7 @@ SIGHUP_handler(SIGNAL_ARGS)
signal_child(PgStatPID, SIGHUP);
/* Reload authentication config files too */
- if (!load_hba())
+ if (!load_hba(NULL, NULL))
ereport(WARNING,
(errmsg("pg_hba.conf not reloaded")));
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 824d5ab..19446bd 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -192,17 +192,6 @@ PerformAuthentication(Port *port)
* FIXME: [fork/exec] Ugh. Is there a way around this overhead?
*/
#ifdef EXEC_BACKEND
-
- /*
- * load_hba() and load_ident() want to work within the PostmasterContext,
- * so create that if it doesn't exist (which it won't). We'll delete it
- * again later, in PostgresMain.
- */
- if (PostmasterContext == NULL)
- PostmasterContext = AllocSetContextCreate(TopMemoryContext,
- "Postmaster",
- ALLOCSET_DEFAULT_SIZES);
-
if (!load_hba())
{
/*
@@ -737,6 +726,14 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
am_superuser = superuser();
}
+ /*
+ * We don't need the HBA and ident data going forward, but we can't rely
+ * on release of PostmasterContext to clean that up, so discard them
+ * explicitly here.
+ */
+ discard_hba();
+ discard_ident();
+
/*
* If we're trying to shut down, only superusers can connect, and new
* replication connections are not allowed.
diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h
index 17ec71d..85e5672 100644
--- a/src/include/catalog/pg_proc.h
+++ b/src/include/catalog/pg_proc.h
@@ -3066,6 +3066,8 @@ DATA(insert OID = 2084 ( pg_show_all_settings PGNSP PGUID 12 1 1000 0 0 f f f f
DESCR("SHOW ALL as a function");
DATA(insert OID = 3329 ( pg_show_all_file_settings PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{25,23,23,25,25,16,25}" "{o,o,o,o,o,o,o}" "{sourcefile,sourceline,seqno,name,setting,applied,error}" _null_ _null_ show_all_file_settings _null_ _null_ _null_ ));
DESCR("show config file settings");
+DATA(insert OID = 3343 ( pg_hba_rules PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{23,25,1009,1009,1009,1009,25,869,869,25,25,1009,25}" "{o,o,o,o,o,o,o,o,o,o,o,o,o}" "{line_number,type,keyword_database,database,keyword_user,user_name,keyword_address,address,netmask,hostname,method,options,error}" _null_ _null_ hba_rules _null_ _null_ _null_ ));
+DESCR("show pg_hba config rules");
DATA(insert OID = 1371 ( pg_lock_status PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{25,26,26,23,21,25,28,26,26,21,25,23,25,16,16}" "{o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}" "{locktype,database,relation,page,tuple,virtualxid,transactionid,classid,objid,objsubid,virtualtransaction,pid,mode,granted,fastpath}" _null_ _null_ pg_lock_status _null_ _null_ _null_ ));
DESCR("view system lock information");
DATA(insert OID = 2561 ( pg_blocking_pids PGNSP PGUID 12 1 0 0 0 f f f f t f v s 1 0 1007 "23" _null_ _null_ _null_ _null_ _null_ pg_blocking_pids _null_ _null_ _null_ ));
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index dc7d257..970f8c5 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -100,8 +100,20 @@ typedef struct IdentLine
/* kluge to avoid including libpq/libpq-be.h here */
typedef struct Port hbaPort;
-extern bool load_hba(void);
+/*
+ * Optional callback function type for load_hba() function.
+ * Currently, valid callback function is passed to load_hba()
+ * by pg_hba_rules function view to frame the hba tuple.
+ */
+typedef void (*hba_line_callback) (void *context, int line_num,
+ HbaLine *hba_line, const char *err_msg);
+
+extern bool load_hba(hba_line_callback callback, void *callback_context);
extern bool load_ident(void);
+
+extern void discard_hba(void);
+extern void discard_ident(void);
+
extern void hba_getauthmethod(hbaPort *port);
extern int check_usermap(const char *usermap_name,
const char *pg_role, const char *auth_user,
diff --git a/src/include/utils/builtins.h b/src/include/utils/builtins.h
index 90f5132..93cc6f1 100644
--- a/src/include/utils/builtins.h
+++ b/src/include/utils/builtins.h
@@ -1189,6 +1189,9 @@ extern Datum pg_control_recovery(PG_FUNCTION_ARGS);
extern Datum row_security_active(PG_FUNCTION_ARGS);
extern Datum row_security_active_name(PG_FUNCTION_ARGS);
+/* hba.c */
+extern Datum hba_rules(PG_FUNCTION_ARGS);
+
/* lockfuncs.c */
extern Datum pg_lock_status(PG_FUNCTION_ARGS);
extern Datum pg_blocking_pids(PG_FUNCTION_ARGS);
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 5e2962c..2a6ecd7 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1338,6 +1338,20 @@ pg_group| SELECT pg_authid.rolname AS groname,
WHERE (pg_auth_members.roleid = pg_authid.oid)) AS grolist
FROM pg_authid
WHERE (NOT pg_authid.rolcanlogin);
+pg_hba_rules| SELECT a.line_number,
+ a.type,
+ a.keyword_database,
+ a.database,
+ a.keyword_user,
+ a.user_name,
+ a.keyword_address,
+ a.address,
+ a.netmask,
+ a.hostname,
+ a.method,
+ a.options,
+ a.error
+ FROM pg_hba_rules() a(line_number, type, keyword_database, database, keyword_user, user_name, keyword_address, address, netmask, hostname, method, options, error);
pg_indexes| SELECT n.nspname AS schemaname,
c.relname AS tablename,
i.relname AS indexname,
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 6c6d519..cbfbe16 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -1118,6 +1118,7 @@ LogicalOutputPluginWriterWrite
LogicalRewriteMappingData
LogicalTape
LogicalTapeSet
+LookupHbaLineCxt
MAGIC
MBuf
MEMORY_BASIC_INFORMATION