diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 086fafc..3f4724c 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -7804,6 +7804,11 @@
+ pg_hba_rules
+ summary of client authentication configuration file contents
+
+
+ pg_groupgroups of database users
@@ -8352,6 +8357,125 @@
+
+ pg_hba_rules
+
+
+ pg_hba_rules
+
+
+
+ The view pg_hba_rules provides a summary of
+ the contents of the client authentication configuration file. A row
+ appears in this view for each entry appearing in the file, with annotations
+ indicating whether the rule could be applied successfully.
+
+
+
+ pg_hba_rules> Columns
+
+
+
+
+ Name
+ Type
+ Description
+
+
+
+
+ line_number
+ integer
+
+ Line number of the client authentication rule in
+ pg_hba.conf file
+
+
+
+ type
+ text
+ Type of connection
+
+
+ database
+ text[]
+ List of database names
+
+
+ user_name
+ text[]
+ List of user names
+
+
+ address
+ text
+
+ Address specifies the set of hosts the record matches.
+ It can be a host name, or it is made up of an IP address
+ or keywords such as (all,
+ samehost and samenet).
+
+
+
+ netmask
+ text
+ Address mask if exist
+
+
+ auth_method
+ text
+ Authentication method
+
+
+ options
+ text[]
+ Configuration options set for authentication method
+
+
+ error
+ text
+
+ If not null, an error message indicates why this
+ rule could not be loaded.
+
+
+
+
+
+
+
+ error field, if not NULL, describes problem
+ in the rule on the line line_number.
+ Following is the sample output of the view.
+
+
+
+SELECT line_number, type, database, user_name, auth_method FROM pg_hba_rules;
+
+
+
+ line_number | type | database | user_name | address | auth_method
+-------------+-------+------------+------------+--------------+-------------
+ 84 | local | {all} | {all} | | trust
+ 86 | host | {sameuser} | {postgres} | all | trust
+ 88 | host | {postgres} | {postgres} | ::1 | trust
+ 111 | host | {all} | {all} | 127.0.0.1 | trust
+ 121 | host | {all} | {all} | localhost | trust
+ 128 | host | {postgres} | {all} | samenet | ident
+ 134 | host | {postgres} | {all} | samehost | md5
+ 140 | host | {db1,db2} | {all} | .example.com | md5
+ 149 | host | {test} | {test} | 192.168.54.1 | reject
+ 159 | host | {all} | {+support} | 192.168.0.0 | ident
+ 169 | local | {sameuser} | {all} | | md5
+(11 rows)
+
+
+
+ See for more information about the various
+ ways to change client authentication configuration.
+
+
+
pg_group
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index dda5891..f20486c 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -54,6 +54,13 @@
database user names and OS user names.
+
+ The system view
+ pg_hba_rules
+ can be helpful for pre-testing changes to the client authentication configuration file, or for
+ diagnosing problems if loading of file did not have the desired effects.
+
+
The pg_hba.conf File
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 4dfedf8..d920a72 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -459,6 +459,12 @@ CREATE VIEW pg_file_settings AS
REVOKE ALL on pg_file_settings FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION pg_show_all_file_settings() FROM PUBLIC;
+CREATE VIEW pg_hba_rules AS
+ SELECT * FROM pg_hba_rules() AS A;
+
+REVOKE ALL on pg_hba_rules FROM PUBLIC;
+REVOKE EXECUTE ON FUNCTION pg_hba_rules() FROM PUBLIC;
+
CREATE VIEW pg_timezone_abbrevs AS
SELECT * FROM pg_timezone_abbrevs();
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index bbe0a88..6986383 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -25,15 +25,22 @@
#include
#include
+#include "access/htup_details.h"
+#include "catalog/objectaddress.h"
#include "catalog/pg_collation.h"
+#include "catalog/pg_type.h"
#include "common/ip.h"
+#include "funcapi.h"
#include "libpq/ifaddr.h"
#include "libpq/libpq.h"
+#include "miscadmin.h"
#include "postmaster/postmaster.h"
#include "regex/regex.h"
#include "replication/walsender.h"
#include "storage/fd.h"
+#include "storage/ipc.h"
#include "utils/acl.h"
+#include "utils/builtins.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
@@ -86,9 +93,34 @@ typedef struct TokenizedLine
List *fields; /* List of lists of HbaTokens */
int line_num; /* Line number */
char *raw_line; /* Raw line text */
+ char *err_msg; /* Error message in the line if any */
} TokenizedLine;
/*
+ * The following character array represents the names of the authentication
+ * methods that are supported by the PostgreSQL.
+ *
+ * NOTE: This structure should be in sync with the UserAuth enum.
+ */
+static char *UserAuthName[] =
+{
+ "reject",
+ "implict reject", /* Not possible to set by user */
+ "trust",
+ "ident",
+ "password",
+ "md5",
+ "gss",
+ "sspi",
+ "pam",
+ "bsd",
+ "ldap",
+ "cert",
+ "radius",
+ "peer"
+};
+
+/*
* pre-parsed content of HBA config file: list of HbaLine structs.
* parsed_hba_context is the memory context where it lives.
*/
@@ -108,11 +140,15 @@ static MemoryContext parsed_ident_context = NULL;
static MemoryContext tokenize_file(const char *filename, FILE *file,
- List **tok_lines);
+ List **tok_lines, int level);
static List *tokenize_inc_file(List *tokens, const char *outer_filename,
- const char *inc_filename);
+ const char *inc_filename, int level, char **err_msg);
static bool parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
- int line_num);
+ int line_num, int level, char **err_msg);
+static Datum gethba_options(HbaLine *hba);
+static void fill_hba_line(TupleDesc tupdesc, Tuplestorestate *tuple_store,
+ int lineno, HbaLine *hba, const char *err_msg);
+static void fill_hba(TupleDesc tupdesc, Tuplestorestate *tuple_store);
/*
* isblank() exists in the ISO C99 spec, but it's not very portable yet,
@@ -151,7 +187,7 @@ pg_isblank(const char c)
*/
static bool
next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote,
- bool *terminating_comma)
+ bool *terminating_comma, int level, char **err_msg)
{
int c;
char *start_buf = buf;
@@ -197,10 +233,12 @@ next_token(char **lineptr, char *buf, int bufsz, bool *initial_quote,
if (buf >= end_buf)
{
*buf = '\0';
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication file token too long, skipping: \"%s\"",
start_buf)));
+ *err_msg = psprintf("authentication file token too long, skipping: \"%s\"",
+ start_buf);
/* Discard remainder of line */
while ((c = (*(*lineptr)++)) != '\0' && c != '\n')
;
@@ -279,7 +317,7 @@ copy_hba_token(HbaToken *in)
* or NIL if we reached EOL.
*/
static List *
-next_field_expand(const char *filename, char **lineptr)
+next_field_expand(const char *filename, char **lineptr, int level, char **err_msg)
{
char buf[MAX_TOKEN];
bool trailing_comma;
@@ -288,15 +326,15 @@ next_field_expand(const char *filename, char **lineptr)
do
{
- if (!next_token(lineptr, buf, sizeof(buf), &initial_quote, &trailing_comma))
+ if (!next_token(lineptr, buf, sizeof(buf), &initial_quote, &trailing_comma, level, err_msg) || (*err_msg != NULL))
break;
/* Is this referencing a file? */
if (!initial_quote && buf[0] == '@' && buf[1] != '\0')
- tokens = tokenize_inc_file(tokens, filename, buf + 1);
+ tokens = tokenize_inc_file(tokens, filename, buf + 1, level, err_msg);
else
tokens = lappend(tokens, make_hba_token(buf, initial_quote));
- } while (trailing_comma);
+ } while (trailing_comma && (*err_msg == NULL));
return tokens;
}
@@ -313,7 +351,9 @@ next_field_expand(const char *filename, char **lineptr)
static List *
tokenize_inc_file(List *tokens,
const char *outer_filename,
- const char *inc_filename)
+ const char *inc_filename,
+ int level,
+ char **err_msg)
{
char *inc_fullname;
FILE *inc_file;
@@ -340,16 +380,20 @@ tokenize_inc_file(List *tokens,
inc_file = AllocateFile(inc_fullname, "r");
if (inc_file == NULL)
{
- ereport(LOG,
+ int save_errno = errno;
+
+ ereport(level,
(errcode_for_file_access(),
errmsg("could not open secondary authentication file \"@%s\" as \"%s\": %m",
inc_filename, inc_fullname)));
+ *err_msg = psprintf("could not open secondary authentication file \"@%s\" as \"%s\": \"%s\"",
+ inc_filename, inc_fullname, strerror(save_errno));
pfree(inc_fullname);
return tokens;
}
/* There is possible recursion here if the file contains @ */
- linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines);
+ linecxt = tokenize_file(inc_fullname, inc_file, &inc_lines, level);
FreeFile(inc_file);
pfree(inc_fullname);
@@ -389,7 +433,7 @@ tokenize_inc_file(List *tokens,
* this function (it's a child of caller's context).
*/
static MemoryContext
-tokenize_file(const char *filename, FILE *file, List **tok_lines)
+tokenize_file(const char *filename, FILE *file, List **tok_lines, int level)
{
int line_number = 1;
MemoryContext linecxt;
@@ -407,6 +451,7 @@ tokenize_file(const char *filename, FILE *file, List **tok_lines)
char rawline[MAX_LINE];
char *lineptr;
List *current_line = NIL;
+ char *err_msg = NULL;
if (!fgets(rawline, sizeof(rawline), file))
break;
@@ -425,11 +470,11 @@ tokenize_file(const char *filename, FILE *file, List **tok_lines)
/* Parse fields */
lineptr = rawline;
- while (*lineptr)
+ while (*lineptr && (err_msg == NULL))
{
List *current_field;
- current_field = next_field_expand(filename, &lineptr);
+ current_field = next_field_expand(filename, &lineptr, level, &err_msg);
/* add field to line, unless we are at EOL or comment start */
if (current_field != NIL)
current_line = lappend(current_line, current_field);
@@ -444,6 +489,7 @@ tokenize_file(const char *filename, FILE *file, List **tok_lines)
tok_line->fields = current_line;
tok_line->line_num = line_number;
tok_line->raw_line = pstrdup(rawline);
+ tok_line->err_msg = err_msg;
*tok_lines = lappend(*tok_lines, tok_line);
}
@@ -755,13 +801,15 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
* reporting error if it's not.
*/
#define INVALID_AUTH_OPTION(optname, validmethods) do {\
- ereport(LOG, \
+ ereport(level, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
/* translator: the second %s is a list of auth methods */ \
errmsg("authentication option \"%s\" is only valid for authentication methods %s", \
optname, _(validmethods)), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
+ *err_msg = psprintf("authentication option \"%s\" is only valid for authentication methods %s", \
+ optname, validmethods); \
return false; \
} while (0);
@@ -772,12 +820,14 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
#define MANDATORY_AUTH_ARG(argvar, argname, authname) do {\
if (argvar == NULL) {\
- ereport(LOG, \
+ ereport(level, \
(errcode(ERRCODE_CONFIG_FILE_ERROR), \
errmsg("authentication method \"%s\" requires argument \"%s\" to be set", \
authname, argname), \
errcontext("line %d of configuration file \"%s\"", \
line_num, HbaFileName))); \
+ tok_line->err_msg = psprintf("authentication method \"%s\" requires argument \"%s\" to be set", \
+ authname, argname); \
return NULL; \
} \
} while (0);
@@ -824,7 +874,7 @@ check_same_host_or_net(SockAddr *raddr, IPCompareMethod method)
* NULL.
*/
static HbaLine *
-parse_hba_line(TokenizedLine *tok_line)
+parse_hba_line(TokenizedLine * tok_line, int level)
{
int line_num = tok_line->line_num;
char *str;
@@ -849,12 +899,13 @@ parse_hba_line(TokenizedLine *tok_line)
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for connection type"),
errhint("Specify exactly one connection type per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "multiple values specified for connection type";
return NULL;
}
token = linitial(tokens);
@@ -863,11 +914,12 @@ parse_hba_line(TokenizedLine *tok_line)
#ifdef HAVE_UNIX_SOCKETS
parsedline->conntype = ctLocal;
#else
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("local connections are not supported by this build"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "local connections are not supported by this build";
return NULL;
#endif
}
@@ -882,19 +934,23 @@ parse_hba_line(TokenizedLine *tok_line)
/* Log a warning if SSL support is not active */
#ifdef USE_SSL
if (!EnableSSL)
- ereport(LOG,
+ {
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl record cannot match because SSL is disabled"),
errhint("Set ssl = on in postgresql.conf."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "hostssl record cannot match because SSL is disabled";
+ }
#else
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl record cannot match because SSL is not supported by this build"),
errhint("Compile with --with-openssl to use SSL connections."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "hostssl record cannot match because SSL is not supported by this build";
#endif
}
else if (token->string[4] == 'n') /* "hostnossl" */
@@ -909,12 +965,13 @@ parse_hba_line(TokenizedLine *tok_line)
} /* record type */
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid connection type \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid connection type \"%s\"", token->string);
return NULL;
}
@@ -922,11 +979,12 @@ parse_hba_line(TokenizedLine *tok_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before database specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "end-of-line before database specification";
return NULL;
}
parsedline->databases = NIL;
@@ -941,11 +999,12 @@ parse_hba_line(TokenizedLine *tok_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before role specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "end-of-line before role specification";
return NULL;
}
parsedline->roles = NIL;
@@ -962,22 +1021,24 @@ parse_hba_line(TokenizedLine *tok_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before IP address specification"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "end-of-line before IP address specification";
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for host address"),
errhint("Specify one address range per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "multiple values specified for host address";
return NULL;
}
token = linitial(tokens);
@@ -1027,12 +1088,14 @@ parse_hba_line(TokenizedLine *tok_line)
parsedline->hostname = str;
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid IP address \"%s\": %s",
str, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid IP address \"%s\": %s",
+ str, gai_strerror(ret));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return NULL;
@@ -1045,24 +1108,28 @@ parse_hba_line(TokenizedLine *tok_line)
{
if (parsedline->hostname)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("specifying both host name and CIDR mask is invalid: \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("specifying both host name and CIDR mask is invalid: \"%s\"",
+ token->string);
return NULL;
}
if (pg_sockaddr_cidr_mask(&parsedline->mask, cidr_slash + 1,
parsedline->addr.ss_family) < 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid CIDR mask in address \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid CIDR mask in address \"%s\"",
+ token->string);
return NULL;
}
pfree(str);
@@ -1074,22 +1141,24 @@ parse_hba_line(TokenizedLine *tok_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before netmask specification"),
errhint("Specify an address range in CIDR notation, or provide a separate netmask."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "end-of-line before netmask specification";
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for netmask"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "multiple values specified for netmask";
return NULL;
}
token = linitial(tokens);
@@ -1098,12 +1167,14 @@ parse_hba_line(TokenizedLine *tok_line)
&hints, &gai_result);
if (ret || !gai_result)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid IP mask \"%s\": %s",
token->string, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid IP mask \"%s\": %s",
+ token->string, gai_strerror(ret));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return NULL;
@@ -1115,11 +1186,12 @@ parse_hba_line(TokenizedLine *tok_line)
if (parsedline->addr.ss_family != parsedline->mask.ss_family)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("IP address and mask do not match"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "IP address and mask do not match";
return NULL;
}
}
@@ -1130,22 +1202,24 @@ parse_hba_line(TokenizedLine *tok_line)
field = lnext(field);
if (!field)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("end-of-line before authentication method"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "end-of-line before authentication method";
return NULL;
}
tokens = lfirst(field);
if (tokens->length > 1)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("multiple values specified for authentication type"),
errhint("Specify exactly one authentication type per line."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "multiple values specified for authentication type";
return NULL;
}
token = linitial(tokens);
@@ -1177,11 +1251,12 @@ parse_hba_line(TokenizedLine *tok_line)
{
if (Db_user_namespace)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "MD5 authentication is not supported when \"db_user_namespace\" is enabled";
return NULL;
}
parsedline->auth_method = uaMD5;
@@ -1214,23 +1289,27 @@ parse_hba_line(TokenizedLine *tok_line)
parsedline->auth_method = uaRADIUS;
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid authentication method \"%s\"",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid authentication method \"%s\"",
+ token->string);
return NULL;
}
if (unsupauth)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid authentication method \"%s\": not supported by this build",
token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("invalid authentication method \"%s\": not supported by this build",
+ token->string);
return NULL;
}
@@ -1246,22 +1325,24 @@ parse_hba_line(TokenizedLine *tok_line)
if (parsedline->conntype == ctLocal &&
parsedline->auth_method == uaGSS)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("gssapi authentication is not supported on local sockets"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "gssapi authentication is not supported on local sockets";
return NULL;
}
if (parsedline->conntype != ctLocal &&
parsedline->auth_method == uaPeer)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("peer authentication is only supported on local sockets"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "peer authentication is only supported on local sockets";
return NULL;
}
@@ -1274,11 +1355,12 @@ parse_hba_line(TokenizedLine *tok_line)
if (parsedline->conntype != ctHostSSL &&
parsedline->auth_method == uaCert)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("cert authentication is only supported on hostssl connections"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "cert authentication is only supported on hostssl connections";
return NULL;
}
@@ -1323,16 +1405,18 @@ parse_hba_line(TokenizedLine *tok_line)
/*
* Got something that's not a name=value pair.
*/
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication option not in name=value format: %s", token->string),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = psprintf("authentication option not in name=value format: %s",
+ token->string);
return NULL;
}
*val++ = '\0'; /* str now holds "name", val holds "value" */
- if (!parse_hba_auth_opt(str, val, parsedline, line_num))
+ if (!parse_hba_auth_opt(str, val, parsedline, line_num, level, &tok_line->err_msg))
/* parse_hba_auth_opt already logged the error message */
return NULL;
pfree(str);
@@ -1360,21 +1444,23 @@ parse_hba_line(TokenizedLine *tok_line)
parsedline->ldapbindpasswd ||
parsedline->ldapsearchattribute)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "cannot use ldapbasedn, ldapbinddn, ldapbindpasswd, ldapsearchattribute, or ldapurl together with ldapprefix";
return NULL;
}
}
else if (!parsedline->ldapbasedn)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ tok_line->err_msg = "authentication method \"ldap\" requires argument \"ldapbasedn\", \"ldapprefix\", or \"ldapsuffix\" to be set";
return NULL;
}
}
@@ -1402,7 +1488,7 @@ parse_hba_line(TokenizedLine *tok_line)
* encounter an error.
*/
static bool
-parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
+parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num, int level, char **err_msg)
{
#ifdef USE_LDAP
hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
@@ -1422,11 +1508,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
{
if (hbaline->conntype != ctHostSSL)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("clientcert can only be configured for \"hostssl\" rows"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
if (strcmp(val, "1") == 0)
@@ -1437,11 +1524,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
{
if (hbaline->auth_method == uaCert)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("clientcert can not be set to 0 when using \"cert\" authentication"),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = "clientcert can not be set to 0 when using \"cert\" authentication";
return false;
}
hbaline->clientcert = false;
@@ -1473,18 +1561,23 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
rc = ldap_url_parse(val, &urldata);
if (rc != LDAP_SUCCESS)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not parse LDAP URL \"%s\": %s", val, ldap_err2string(rc))));
+ *err_msg = psprintf("could not parse LDAP URL \"%s\": %s",
+ val, ldap_err2string(rc));
return false;
}
if (strcmp(urldata->lud_scheme, "ldap") != 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unsupported LDAP URL scheme: %s", urldata->lud_scheme)));
+ *err_msg = psprintf("unsupported LDAP URL scheme: %s",
+ urldata->lud_scheme);
ldap_free_urldesc(urldata);
+
return false;
}
@@ -1497,17 +1590,19 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapscope = urldata->lud_scope;
if (urldata->lud_filter)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("filters not supported in LDAP URLs")));
+ *err_msg = "filters not supported in LDAP URLs";
ldap_free_urldesc(urldata);
return false;
}
ldap_free_urldesc(urldata);
#else /* not OpenLDAP */
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("LDAP URLs not supported on this platform")));
+ *err_msg = "LDAP URLs not supported on this platform";
#endif /* not OpenLDAP */
}
else if (strcmp(name, "ldaptls") == 0)
@@ -1529,11 +1624,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapport = atoi(val);
if (hbaline->ldapport == 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid LDAP port number: \"%s\"", val),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("invalid LDAP port number: \"%s\"", val);
return false;
}
}
@@ -1617,12 +1713,14 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
ret = pg_getaddrinfo_all(val, NULL, &hints, &gai_result);
if (ret || !gai_result)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not translate RADIUS server name \"%s\" to address: %s",
val, gai_strerror(ret)),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("could not translate RADIUS server name \"%s\" to address: %s",
+ val, gai_strerror(ret));
if (gai_result)
pg_freeaddrinfo_all(hints.ai_family, gai_result);
return false;
@@ -1636,11 +1734,12 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->radiusport = atoi(val);
if (hbaline->radiusport == 0)
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("invalid RADIUS port number: \"%s\"", val),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("invalid RADIUS port number: \"%s\"", val);
return false;
}
}
@@ -1656,12 +1755,14 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
}
else
{
- ereport(LOG,
+ ereport(level,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unrecognized authentication option name: \"%s\"",
name),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
+ *err_msg = psprintf("unrecognized authentication option name: \"%s\"",
+ name);
return false;
}
return true;
@@ -1794,7 +1895,7 @@ load_hba(void)
return false;
}
- linecxt = tokenize_file(HbaFileName, file, &hba_lines);
+ linecxt = tokenize_file(HbaFileName, file, &hba_lines, LOG);
FreeFile(file);
/* Now parse all the lines */
@@ -1808,7 +1909,7 @@ load_hba(void)
TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
HbaLine *newline;
- if ((newline = parse_hba_line(tok_line)) == NULL)
+ if ((newline = parse_hba_line(tok_line, LOG)) == NULL)
{
/*
* Parse error in the file, so indicate there's a problem. NB: a
@@ -1878,7 +1979,7 @@ load_hba(void)
* NULL.
*/
static IdentLine *
-parse_ident_line(TokenizedLine *tok_line)
+parse_ident_line(TokenizedLine * tok_line)
{
int line_num = tok_line->line_num;
ListCell *field;
@@ -2170,7 +2271,7 @@ load_ident(void)
return false;
}
- linecxt = tokenize_file(IdentFileName, file, &ident_lines);
+ linecxt = tokenize_file(IdentFileName, file, &ident_lines, LOG);
FreeFile(file);
/* Now parse all the lines */
@@ -2261,3 +2362,355 @@ hba_getauthmethod(hbaPort *port)
{
check_hba(port);
}
+
+/*
+ * The Macro that specifies the maximum number of authentication options
+ * that are possible with any given authentication method that is supported.
+ * Currently LDAP supports 10, The macro value is well above the most any
+ * method needs
+ */
+#define MAX_HBA_OPTIONS 12
+
+static Datum
+gethba_options(HbaLine *hba)
+{
+ int noptions;
+ Datum options[MAX_HBA_OPTIONS];
+
+ noptions = 0;
+
+ if (hba->auth_method == uaGSS || hba->auth_method == uaSSPI)
+ {
+ if (hba->include_realm)
+ options[noptions++] = CStringGetTextDatum("include_realm=true");
+
+ if (hba->krb_realm)
+ options[noptions++] =
+ CStringGetTextDatum(psprintf("krb_realm=%s", hba->krb_realm));
+ }
+
+ if (hba->usermap)
+ options[noptions++] = CStringGetTextDatum(psprintf("map=%s", hba->usermap));
+
+ if (hba->clientcert)
+ options[noptions++] = CStringGetTextDatum("clientcert=true");
+
+ if (hba->pamservice)
+ options[noptions++] = CStringGetTextDatum(psprintf("pamservice=%s", hba->pamservice));
+
+ if (hba->auth_method == uaLDAP)
+ {
+ if (hba->ldapserver)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapserver=%s", hba->ldapserver));
+
+ if (hba->ldapport)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapport=%d", hba->ldapport));
+
+ if (hba->ldaptls)
+ options[noptions++] = CStringGetTextDatum("ldaptls=true");
+
+ if (hba->ldapprefix)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapprefix=%s", hba->ldapprefix));
+
+ if (hba->ldapsuffix)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapsuffix=%s", hba->ldapsuffix));
+
+ if (hba->ldapbasedn)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapbasedn=%s", hba->ldapbasedn));
+
+ if (hba->ldapbinddn)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapbinddn=%s", hba->ldapbinddn));
+
+ if (hba->ldapbindpasswd)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapbindpasswd=%s", hba->ldapbindpasswd));
+
+ if (hba->ldapsearchattribute)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapsearchattribute=%s", hba->ldapsearchattribute));
+
+ if (hba->ldapscope)
+ options[noptions++] = CStringGetTextDatum(psprintf("ldapscope=%d", hba->ldapscope));
+ }
+
+ if (hba->auth_method == uaRADIUS)
+ {
+ if (hba->radiusserver)
+ options[noptions++] = CStringGetTextDatum(psprintf("radiusserver=%s", hba->radiusserver));
+
+ if (hba->radiussecret)
+ options[noptions++] = CStringGetTextDatum(psprintf("radiussecret=%s", hba->radiussecret));
+
+ if (hba->radiusidentifier)
+ options[noptions++] = CStringGetTextDatum(psprintf("radiusidentifier=%s", hba->radiusidentifier));
+
+ if (hba->radiusport)
+ options[noptions++] = CStringGetTextDatum(psprintf("radiusport=%d", hba->radiusport));
+ }
+
+ Assert(noptions <= MAX_HBA_OPTIONS);
+ if (noptions)
+ return PointerGetDatum(
+ construct_array(options, noptions, TEXTOID, -1, false, 'i'));
+ return PointerGetDatum(NULL);
+}
+
+#define NUM_PG_HBA_RULES_ATTS 9
+
+static void
+fill_hba_line(TupleDesc tupdesc, Tuplestorestate *tuple_store, int lineno, HbaLine *hba, const char *err_msg)
+{
+ Datum values[NUM_PG_HBA_RULES_ATTS];
+ bool nulls[NUM_PG_HBA_RULES_ATTS];
+ ListCell *dbcell;
+ char buffer[NI_MAXHOST];
+ HeapTuple tuple;
+ int index;
+ Datum options;
+
+ index = 0;
+ memset(values, 0, sizeof(values));
+ memset(nulls, 0, sizeof(nulls));
+
+ /* line_number */
+ values[index] = Int32GetDatum(lineno);
+
+ if (err_msg)
+ {
+ /* set all remaining columns as NULL, except error column */
+ memset(&nulls[1], true, (NUM_PG_HBA_RULES_ATTS - 2));
+
+ /* error */
+ values[NUM_PG_HBA_RULES_ATTS - 1] = CStringGetTextDatum(err_msg);
+ }
+ else
+ {
+ /* type */
+ index++;
+ switch (hba->conntype)
+ {
+ case ctLocal:
+ values[index] = CStringGetTextDatum("local");
+ break;
+ case ctHost:
+ values[index] = CStringGetTextDatum("host");
+ break;
+ case ctHostSSL:
+ values[index] = CStringGetTextDatum("hostssl");
+ break;
+ case ctHostNoSSL:
+ values[index] = CStringGetTextDatum("hostnossl");
+ break;
+ }
+
+ /* database */
+ index++;
+ if (hba->databases)
+ {
+ List *names = NULL;
+ HbaToken *tok;
+
+ foreach(dbcell, hba->databases)
+ {
+ tok = lfirst(dbcell);
+ names = lappend(names, tok->string);
+ }
+
+ /* database */
+ Assert(names != NULL);
+ values[index] = PointerGetDatum(strlist_to_textarray(names));
+ }
+ else
+ nulls[index] = true;
+
+ /* user */
+ index++;
+ if (hba->roles)
+ {
+ List *roles = NULL;
+ HbaToken *tok;
+
+ foreach(dbcell, hba->roles)
+ {
+ tok = lfirst(dbcell);
+ roles = lappend(roles, tok->string);
+ }
+
+ /* user */
+ Assert(roles != NULL);
+ values[index] = PointerGetDatum(strlist_to_textarray(roles));
+ }
+ else
+ nulls[index] = true;
+
+
+ /* address */
+ index++;
+ switch (hba->ip_cmp_method)
+ {
+ case ipCmpMask:
+ if (hba->hostname)
+ {
+ values[index] = CStringGetTextDatum(hba->hostname);
+ nulls[++index] = true;
+ }
+ else
+ {
+ if (pg_getnameinfo_all(&hba->addr, sizeof(struct sockaddr_storage),
+ buffer, sizeof(buffer),
+ NULL, 0,
+ NI_NUMERICHOST) == 0)
+ {
+ clean_ipv6_addr(hba->addr.ss_family, buffer);
+ values[index] = CStringGetTextDatum(buffer);
+ }
+ else
+ nulls[index] = true;
+
+ /* netmask */
+ if (pg_getnameinfo_all(&hba->mask, sizeof(struct sockaddr_storage),
+ buffer, sizeof(buffer),
+ NULL, 0,
+ NI_NUMERICHOST) == 0)
+ {
+ clean_ipv6_addr(hba->mask.ss_family, buffer);
+ values[++index] = CStringGetTextDatum(buffer);
+ }
+ else
+ nulls[++index] = true;
+ }
+ break;
+ case ipCmpAll:
+ values[index] = CStringGetTextDatum("all");
+ nulls[++index] = true;
+ break;
+ case ipCmpSameHost:
+ values[index] = CStringGetTextDatum("samehost");
+ nulls[++index] = true;
+ break;
+ case ipCmpSameNet:
+ values[index] = CStringGetTextDatum("samenet");
+ nulls[++index] = true;
+ break;
+ }
+
+ /* auth_method */
+ index++;
+ values[index] = CStringGetTextDatum(UserAuthName[hba->auth_method]);
+
+ /* options */
+ index++;
+ options = gethba_options(hba);
+ if (options)
+ values[index] = PointerGetDatum(options);
+ else
+ nulls[index] = true;
+
+ /* error */
+ index++;
+ nulls[index] = true;
+ }
+
+ tuple = heap_form_tuple(tupdesc, values, nulls);
+ tuplestore_puttuple(tuple_store, tuple);
+
+ return;
+}
+
+/*
+ * Read the config file and fill the HbaLine records for the view.
+ */
+static void
+fill_hba(TupleDesc tupdesc, Tuplestorestate *tuple_store)
+{
+ FILE *file;
+ List *hba_lines = NIL;
+ ListCell *line;
+ MemoryContext linecxt;
+ MemoryContext hbacxt;
+ MemoryContext oldcxt;
+
+ file = AllocateFile(HbaFileName, "r");
+ if (file == NULL)
+ {
+ ereport(ERROR,
+ (errcode_for_file_access(),
+ errmsg("could not open configuration file \"%s\": %m",
+ HbaFileName)));
+ return;
+ }
+
+ linecxt = tokenize_file(HbaFileName, file, &hba_lines, DEBUG3);
+ FreeFile(file);
+
+ /* Now parse all the lines */
+ hbacxt = AllocSetContextCreate(CurrentMemoryContext,
+ "hba parser context",
+ ALLOCSET_SMALL_SIZES);
+ oldcxt = MemoryContextSwitchTo(hbacxt);
+ foreach(line, hba_lines)
+ {
+ TokenizedLine *tok_line = (TokenizedLine *) lfirst(line);
+ HbaLine *newline = NULL;
+
+ if (tok_line->err_msg == NULL)
+ newline = parse_hba_line(tok_line, DEBUG3);
+
+ fill_hba_line(tupdesc, tuple_store, tok_line->line_num, newline, tok_line->err_msg);
+ }
+
+ /* Free tokenizer memory */
+ MemoryContextDelete(linecxt);
+ MemoryContextSwitchTo(oldcxt);
+ MemoryContextDelete(hbacxt);
+}
+
+/*
+ * SQL-accessible SRF to return all the settings from the pg_hba.conf
+ * file.
+ */
+Datum
+hba_rules(PG_FUNCTION_ARGS)
+{
+ Tuplestorestate *tuple_store;
+ TupleDesc tupdesc;
+ MemoryContext old_cxt;
+ ReturnSetInfo *rsi;
+
+ /*
+ * We must use the Materialize mode to be safe against HBA file reloads
+ * while the cursor is open. It's also more efficient than having to look
+ * up our current position in the parsed list every time.
+ */
+ rsi = (ReturnSetInfo *) fcinfo->resultinfo;
+
+ /* Check to see if caller supports us returning a tuplestore */
+ if (rsi == NULL || !IsA(rsi, ReturnSetInfo))
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("set-valued function called in context that cannot accept a set")));
+ if (!(rsi->allowedModes & SFRM_Materialize))
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("materialize mode required, but it is not " \
+ "allowed in this context")));
+
+ rsi->returnMode = SFRM_Materialize;
+
+ /* Build a tuple descriptor for our result type */
+ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
+ elog(ERROR, "return type must be a row type");
+
+ /* Build tuplestore to hold the result rows */
+ old_cxt = MemoryContextSwitchTo(rsi->econtext->ecxt_per_query_memory);
+
+ tuple_store =
+ tuplestore_begin_heap(rsi->allowedModes & SFRM_Materialize_Random,
+ false, work_mem);
+ rsi->setDesc = tupdesc;
+ rsi->setResult = tuple_store;
+
+ MemoryContextSwitchTo(old_cxt);
+
+ fill_hba(tupdesc, tuple_store);
+
+ PG_RETURN_NULL();
+}
diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h
index 31c828a..90d61d9 100644
--- a/src/include/catalog/pg_proc.h
+++ b/src/include/catalog/pg_proc.h
@@ -3076,6 +3076,8 @@ DATA(insert OID = 2084 ( pg_show_all_settings PGNSP PGUID 12 1 1000 0 0 f f f f
DESCR("SHOW ALL as a function");
DATA(insert OID = 3329 ( pg_show_all_file_settings PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{25,23,23,25,25,16,25}" "{o,o,o,o,o,o,o}" "{sourcefile,sourceline,seqno,name,setting,applied,error}" _null_ _null_ show_all_file_settings _null_ _null_ _null_ ));
DESCR("show config file settings");
+DATA(insert OID = 3401 ( pg_hba_rules PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{23,25,1009,1009,25,25,25,1009,25}" "{o,o,o,o,o,o,o,o,o}" "{line_number,type,database,user_name,address,netmask,auth_method,options,error}" _null_ _null_ hba_rules _null_ _null_ _null_ ));
+DESCR("show pg_hba config rules");
DATA(insert OID = 1371 ( pg_lock_status PGNSP PGUID 12 1 1000 0 0 f f f f t t v s 0 0 2249 "" "{25,26,26,23,21,25,28,26,26,21,25,23,25,16,16}" "{o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}" "{locktype,database,relation,page,tuple,virtualxid,transactionid,classid,objid,objsubid,virtualtransaction,pid,mode,granted,fastpath}" _null_ _null_ pg_lock_status _null_ _null_ _null_ ));
DESCR("view system lock information");
DATA(insert OID = 2561 ( pg_blocking_pids PGNSP PGUID 12 1 0 0 0 f f f f t f v s 1 0 1007 "23" _null_ _null_ _null_ _null_ _null_ pg_blocking_pids _null_ _null_ _null_ ));
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index dc7d257..c936308 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -15,11 +15,17 @@
#include "nodes/pg_list.h"
#include "regex/regex.h"
-
+/*
+ * The following enum represents the authentication methods that
+ * are supported by PostgreSQL.
+ *
+ * NOTE: Any additions in this enum must update the UserAuthName array to be
+ * in sync.
+ */
typedef enum UserAuth
{
uaReject,
- uaImplicitReject,
+ uaImplicitReject, /* Not user visibile option */
uaTrust,
uaIdent,
uaPassword,
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 60abcad..de7860a 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1338,6 +1338,16 @@ pg_group| SELECT pg_authid.rolname AS groname,
WHERE (pg_auth_members.roleid = pg_authid.oid)) AS grolist
FROM pg_authid
WHERE (NOT pg_authid.rolcanlogin);
+pg_hba_rules| SELECT a.line_number,
+ a.type,
+ a.database,
+ a.user_name,
+ a.address,
+ a.netmask,
+ a.auth_method,
+ a.options,
+ a.error
+ FROM pg_hba_rules() a(line_number, type, database, user_name, address, netmask, auth_method, options, error);
pg_indexes| SELECT n.nspname AS schemaname,
c.relname AS tablename,
i.relname AS indexname,