Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8a069ab

Browse files
committed
Fix pg_pwd caching mechanism, which was broken by changes to fork
postmaster children before client auth step. Postmaster now rereadspg_pwd on receipt of SIGHUP, the same way that pg_hba.conf is handled.No cycles need be expended to validate password cache validity duringconnection startup.
1 parent6babf6e commit8a069ab

File tree

6 files changed

+183
-142
lines changed

6 files changed

+183
-142
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 54 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.22 2001/10/04 22:27:18 petere Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.23 2001/11/02 18:39:57 tgl Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -67,6 +67,19 @@
6767
tabs. Records cannot be continued across lines.
6868
</para>
6969

70+
<para>
71+
Each record specifies a connection type, a client IP address range
72+
(if relevant for the connection type), a database name or names,
73+
and the authentication method to be used for connections matching
74+
these parameters.
75+
The first record that matches the type, client address and requested
76+
database name of a connection attempt is used to do the
77+
authentication step. There is no <quote>fall-through</> or
78+
<quote>backup</>: if one record is chosen and the authentication
79+
fails, the following records are not considered. If no record
80+
matches, the access will be denied.
81+
</para>
82+
7083
<para>
7184
A record may have one of the three formats
7285
<synopsis>
@@ -107,7 +120,9 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
107120
TCP/IP. To make use of this option the server must be
108121
built with SSL support enabled. Furthermore, SSL must be
109122
enabled with the <option>-l</> option or equivalent configuration
110-
setting when the server is started.
123+
setting when the server is started. (Note: <literal>host</literal>
124+
records will match either SSL or non-SSL connection attempts, but
125+
<literal>hostssl</literal> records match only SSL connections.)
111126
</para>
112127
</listitem>
113128
</varlistentry>
@@ -131,8 +146,9 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
131146
<term><replaceable>IP mask</replaceable></term>
132147
<listitem>
133148
<para>
134-
These two fields control to which hosts a
135-
<literal>host</literal> record applies, based on their IP
149+
These two fields specify to which client machines a
150+
<literal>host</literal> or <literal>hostssl</literal>
151+
record applies, based on their IP
136152
address. (Of course IP addresses can be spoofed but this
137153
consideration is beyond the scope of
138154
<productname>Postgres</productname>.) The precise logic is that
@@ -151,7 +167,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
151167
<listitem>
152168
<para>
153169
Specifies the method that users must use to authenticate themselves
154-
when connecting to that database. The possible choices follow,
170+
when connecting under the control of this authentication record.
171+
The possible choices are summarized here,
155172
details are in <xref linkend="auth-methods">.
156173

157174
<variablelist>
@@ -322,17 +339,27 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
322339
</listitem>
323340
</varlistentry>
324341
</variablelist>
342+
</para>
325343

326-
The first record that matches the client IP address and requested
327-
database name of a connection attempt is used to do the
328-
authentication step. There is no <quote>fall-through</> or
329-
<quote>backup</>: if one record is chosen and the authentication
330-
fails, the following records are not considered. If no record
331-
matches, the access will be denied.
344+
<para>
345+
Since the <filename>pg_hba.conf</filename> records are examined
346+
sequentially for each connection attempt, order of the records is
347+
very significant. Typically, earlier records will have tight
348+
connection match parameters and weaker authentication methods,
349+
while later records will have looser match parameters and stronger
350+
authentication methods. For example, one might wish to use
351+
<literal>trust</> authentication for local TCP connections but
352+
require a password for remote TCP connections. In this case a
353+
record specifying <literal>trust</> authentication for connections
354+
from 127.0.0.1 would appear before a record specifying password
355+
authentication for a wider range of allowed client IP addresses.
332356
</para>
333357

334358
<para>
335-
The <filename>pg_hba.conf</filename> file is loaded only on startup
359+
<indexterm>
360+
<primary>SIGHUP</primary>
361+
</indexterm>
362+
The <filename>pg_hba.conf</filename> file is read on startup
336363
and when the <application>postmaster</> receives a
337364
<systemitem>SIGHUP</systemitem> signal. If you edit the file on an
338365
active system, you will need to signal the <application>postmaster</>
@@ -632,15 +659,16 @@ host all 192.168.0.0 255.255.0.0 ident omicron
632659
to connect as the database user he is requesting to connect as.
633660
This is controlled by the ident map
634661
argument that follows the <literal>ident</> keyword in the
635-
<filename>pg_hba.conf</filename> file.The simplestident map is
662+
<filename>pg_hba.conf</filename> file.There is a predefinedident map
636663
<literal>sameuser</literal>, which allows any operating system
637664
user to connect as the database user of the same name (if the
638665
latter exists). Other maps must be created manually.
639666
</para>
640667

641668
<para>
642669
<indexterm><primary>pg_ident.conf</primary></indexterm>
643-
Ident maps are held in the file <filename>pg_ident.conf</filename>
670+
Ident maps other than <literal>sameuser</literal> are defined
671+
in the file <filename>pg_ident.conf</filename>
644672
in the data directory, which contains lines of the general form:
645673
<synopsis>
646674
<replaceable>map-name</> <replaceable>ident-username</> <replaceable>database-username</>
@@ -657,6 +685,18 @@ host all 192.168.0.0 255.255.0.0 ident omicron
657685
versa.
658686
</para>
659687

688+
<para>
689+
<indexterm>
690+
<primary>SIGHUP</primary>
691+
</indexterm>
692+
The <filename>pg_ident.conf</filename> file is read on startup
693+
and when the <application>postmaster</> receives a
694+
<systemitem>SIGHUP</systemitem> signal. If you edit the file on an
695+
active system, you will need to signal the <application>postmaster</>
696+
(using <application>pg_ctl reload</> or <application>kill -HUP</>)
697+
to make it re-read the file.
698+
</para>
699+
660700
<para>
661701
A <filename>pg_ident.conf</filename> file that could be used in
662702
conjunction with the <filename>pg_hba.conf</> file in <xref

‎doc/src/sgml/runtime.sgml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.91 2001/10/31 20:35:02 petere Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.92 2001/11/02 18:39:57 tgl Exp $
33
-->
44

55
<Chapter Id="runtime">
@@ -479,8 +479,10 @@ syslog = 2
479479
<primary>SIGHUP</primary>
480480
</indexterm>
481481
The configuration file is reread whenever the postmaster receives
482-
a <systemitem>SIGHUP</> signal. This signal is also propagated to all running
483-
backend processes, so that running sessions get the new default.
482+
a <systemitem>SIGHUP</> signal (which is most easily sent by means
483+
of <application>pg_ctl reload</>). The postmaster also propagates
484+
this signal to all already-running backend processes, so that
485+
existing sessions also get the new default.
484486
Alternatively, you can send the signal to only one backend process
485487
directly.
486488
</para>

‎src/backend/commands/user.c

Lines changed: 10 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
77
* Portions Copyright (c) 1994, Regents of the University of California
88
*
9-
* $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.87 2001/11/01 18:09:58 tgl Exp $
9+
* $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.88 2001/11/02 18:39:57 tgl Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -15,6 +15,7 @@
1515
#include<sys/types.h>
1616
#include<sys/stat.h>
1717
#include<fcntl.h>
18+
#include<signal.h>
1819
#include<unistd.h>
1920

2021
#include"access/heapam.h"
@@ -33,14 +34,15 @@
3334
#include"utils/syscache.h"
3435

3536

36-
staticvoidCheckPgUserAclNotNull(void);
3737
externboolPassword_encryption;
3838

39+
staticvoidCheckPgUserAclNotNull(void);
40+
3941
/*---------------------------------------------------------------------
4042
* write_password_file / update_pg_pwd
4143
*
4244
* copy the modified contents of pg_shadow to a file used by the postmaster
43-
* for user authentication. The file is stored as $PGDATA/pg_pwd.
45+
* for user authentication. The file is stored as $PGDATA/global/pg_pwd.
4446
*
4547
* This function set is both a trigger function for direct updates to pg_shadow
4648
* as well as being called directly from create/alter/drop user.
@@ -57,7 +59,6 @@ write_password_file(Relation rel)
5759
*tempname;
5860
intbufsize;
5961
FILE*fp;
60-
intflagfd;
6162
mode_toumask;
6263
HeapScanDescscan;
6364
HeapTupletuple;
@@ -133,7 +134,7 @@ write_password_file(Relation rel)
133134
/*
134135
* The extra columns we emit here are not really necessary. To remove
135136
* them, the parser in backend/libpq/crypt.c would need to be
136-
* adjusted. Initdb might also need adjustments.
137+
* adjusted.
137138
*/
138139
fprintf(fp,
139140
"%s"
@@ -168,6 +169,7 @@ write_password_file(Relation rel)
168169

169170
/*
170171
* Rename the temp file to its final name, deleting the old pg_pwd.
172+
* We expect that rename(2) is an atomic action.
171173
*/
172174
if (rename(tempname,filename))
173175
elog(ERROR,"rename %s to %s: %m",tempname,filename);
@@ -176,19 +178,10 @@ write_password_file(Relation rel)
176178
pfree((void*)filename);
177179

178180
/*
179-
* Create a flag file the postmaster will detect the next time it
180-
* tries to authenticate a user. The postmaster will know to reload
181-
* the pg_pwd file contents. Note: we used to elog(ERROR) if the file
182-
* creation failed, but it's a little silly to abort the transaction
183-
* at this point, so let's just make it a NOTICE.
181+
* Signal the postmaster to reload its password-file cache.
184182
*/
185-
filename=crypt_getpwdreloadfilename();
186-
flagfd=BasicOpenFile(filename,O_WRONLY |O_CREAT,0600);
187-
if (flagfd<0)
188-
elog(NOTICE,"write_password_file: unable to write %s: %m",filename);
189-
else
190-
close(flagfd);
191-
pfree((void*)filename);
183+
if (IsUnderPostmaster)
184+
kill(getppid(),SIGHUP);
192185
}
193186

194187

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp