Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9872381

Browse files
committed
Parse pg_hba.conf in postmaster, instead of once in each backend for
each connection. This makes it possible to catch errors in the pg_hbafile when it's being reloaded, instead of silently reloading a brokenfile and failing only when a user tries to connect.This patch also makes the "sameuser" argument to ident authenticationoptional.
1 parentb850cf6 commit9872381

File tree

8 files changed

+394
-261
lines changed

8 files changed

+394
-261
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.106 2008/01/05 13:17:00 petere Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.107 2008/09/15 12:32:56 mha Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -509,7 +509,7 @@ host all all 127.0.0.1 255.255.255.255 trust
509509
# the connection (typically the Unix user name).
510510
#
511511
# TYPE DATABASE USER CIDR-ADDRESS METHOD
512-
host postgres all 192.168.93.0/24 ident sameuser
512+
host postgres all 192.168.93.0/24 ident
513513

514514
# Allow a user from host 192.168.12.10 to connect to database
515515
# "postgres" if the user's password is correctly supplied.
@@ -839,8 +839,8 @@ local db1,db2,@demodbs all md5
839839

840840
<para>
841841
The ident authentication method works by obtaining the client's
842-
operating system user name, then determining the alloweddatabase
843-
user names using a map file that lists the permitted
842+
operating system user name, thenoptionallydetermining the allowed
843+
databaseuser names using a map file that lists the permitted
844844
corresponding pairs of names. The determination of the client's
845845
user name is the security-critical point, and it works differently
846846
depending on the connection type.
@@ -928,15 +928,13 @@ local db1,db2,@demodbs all md5
928928
allowed to connect as the database user he is requesting to connect
929929
as. This is controlled by the ident map argument that follows the
930930
<literal>ident</> key word in the <filename>pg_hba.conf</filename>
931-
file. There is a predefined ident map <literal>sameuser</literal>,
932-
which allows any operating system user to connect as the database
933-
user of the same name (if the latter exists). Other maps must be
934-
created manually.
931+
file. If an ident map is not specified, the database user will be
932+
checked with the same name as the operating system user. Other maps
933+
must be created manually.
935934
</para>
936935

937936
<para>
938-
Ident maps other than <literal>sameuser</literal> are defined in the
939-
ident map file, which by default is named
937+
Ident maps are defined in the ident map file, which by default is named
940938
<filename>pg_ident.conf</><indexterm><primary>pg_ident.conf</primary></indexterm>
941939
and is stored in the
942940
cluster's data directory. (It is possible to place the map file

‎src/backend/libpq/auth.c

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.167 2008/08/01 11:41:12 mha Exp $
11+
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.168 2008/09/15 12:32:56 mha Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -211,7 +211,7 @@ auth_failed(Port *port, int status)
211211
if (status==STATUS_EOF)
212212
proc_exit(0);
213213

214-
switch (port->auth_method)
214+
switch (port->hba->auth_method)
215215
{
216216
caseuaReject:
217217
errstr=gettext_noop("authentication failed for user \"%s\": host rejected");
@@ -279,7 +279,7 @@ ClientAuthentication(Port *port)
279279
errmsg("missing or erroneous pg_hba.conf file"),
280280
errhint("See server log for details.")));
281281

282-
switch (port->auth_method)
282+
switch (port->hba->auth_method)
283283
{
284284
caseuaReject:
285285

@@ -1761,7 +1761,7 @@ ident_unix(int sock, char *ident_user)
17611761
/*
17621762
*Determine the username of the initiator of the connection described
17631763
*by "port".Then look in the usermap file under the usermap
1764-
*port->auth_arg and see if that user is equivalent to Postgres user
1764+
*port->hba->usermap and see if that user is equivalent to Postgres user
17651765
*port->user.
17661766
*
17671767
*Return STATUS_OK if yes, STATUS_ERROR if no match (or couldn't get info).
@@ -1799,7 +1799,7 @@ authident(hbaPort *port)
17991799
(errmsg("Ident protocol identifies remote user as \"%s\"",
18001800
ident_user)));
18011801

1802-
if (check_ident_usermap(port->auth_arg,port->user_name,ident_user))
1802+
if (check_ident_usermap(port->hba->usermap,port->user_name,ident_user))
18031803
returnSTATUS_OK;
18041804
else
18051805
returnSTATUS_ERROR;
@@ -1913,8 +1913,8 @@ CheckPAMAuth(Port *port, char *user, char *password)
19131913
* not allocated */
19141914

19151915
/* Optionally, one can set the service name in pg_hba.conf */
1916-
if (port->auth_arg&&port->auth_arg[0]!='\0')
1917-
retval=pam_start(port->auth_arg,"pgsql@",
1916+
if (port->hba->auth_arg&&port->hba->auth_arg[0]!='\0')
1917+
retval=pam_start(port->hba->auth_arg,"pgsql@",
19181918
&pam_passw_conv,&pamh);
19191919
else
19201920
retval=pam_start(PGSQL_PAM_SERVICE,"pgsql@",
@@ -2011,7 +2011,7 @@ CheckLDAPAuth(Port *port)
20112011
intldapport=LDAP_PORT;
20122012
charfulluser[NAMEDATALEN+256+1];
20132013

2014-
if (!port->auth_arg||port->auth_arg[0]=='\0')
2014+
if (!port->hba->auth_arg||port->hba->auth_arg[0]=='\0')
20152015
{
20162016
ereport(LOG,
20172017
(errmsg("LDAP configuration URL not specified")));
@@ -2035,13 +2035,13 @@ CheckLDAPAuth(Port *port)
20352035
suffix[0]='\0';
20362036

20372037
/* ldap, including port number */
2038-
r=sscanf(port->auth_arg,
2038+
r=sscanf(port->hba->auth_arg,
20392039
"ldap://%127[^:]:%d/%127[^;];%127[^;];%127[^\n]",
20402040
server,&ldapport,basedn,prefix,suffix);
20412041
if (r<3)
20422042
{
20432043
/* ldaps, including port number */
2044-
r=sscanf(port->auth_arg,
2044+
r=sscanf(port->hba->auth_arg,
20452045
"ldaps://%127[^:]:%d/%127[^;];%127[^;];%127[^\n]",
20462046
server,&ldapport,basedn,prefix,suffix);
20472047
if (r >=3)
@@ -2050,14 +2050,14 @@ CheckLDAPAuth(Port *port)
20502050
if (r<3)
20512051
{
20522052
/* ldap, no port number */
2053-
r=sscanf(port->auth_arg,
2053+
r=sscanf(port->hba->auth_arg,
20542054
"ldap://%127[^/]/%127[^;];%127[^;];%127[^\n]",
20552055
server,basedn,prefix,suffix);
20562056
}
20572057
if (r<2)
20582058
{
20592059
/* ldaps, no port number */
2060-
r=sscanf(port->auth_arg,
2060+
r=sscanf(port->hba->auth_arg,
20612061
"ldaps://%127[^/]/%127[^;];%127[^;];%127[^\n]",
20622062
server,basedn,prefix,suffix);
20632063
if (r >=2)
@@ -2067,7 +2067,7 @@ CheckLDAPAuth(Port *port)
20672067
{
20682068
ereport(LOG,
20692069
(errmsg("invalid LDAP URL: \"%s\"",
2070-
port->auth_arg)));
2070+
port->hba->auth_arg)));
20712071
returnSTATUS_ERROR;
20722072
}
20732073

‎src/backend/libpq/crypt.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
* Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
1010
* Portions Copyright (c) 1994, Regents of the University of California
1111
*
12-
* $PostgreSQL: pgsql/src/backend/libpq/crypt.c,v 1.74 2008/01/01 19:45:49 momjian Exp $
12+
* $PostgreSQL: pgsql/src/backend/libpq/crypt.c,v 1.75 2008/09/15 12:32:56 mha Exp $
1313
*
1414
*-------------------------------------------------------------------------
1515
*/
@@ -54,7 +54,7 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
5454
returnSTATUS_ERROR;
5555

5656
/* We can't do crypt with MD5 passwords */
57-
if (isMD5(shadow_pass)&&port->auth_method==uaCrypt)
57+
if (isMD5(shadow_pass)&&port->hba->auth_method==uaCrypt)
5858
{
5959
ereport(LOG,
6060
(errmsg("cannot use authentication method \"crypt\" because password is MD5-encrypted")));
@@ -65,7 +65,7 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
6565
* Compare with the encrypted or plain password depending on the
6666
* authentication method being used for this connection.
6767
*/
68-
switch (port->auth_method)
68+
switch (port->hba->auth_method)
6969
{
7070
caseuaMD5:
7171
crypt_pwd=palloc(MD5_PASSWD_LEN+1);
@@ -155,7 +155,7 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
155155
}
156156
}
157157

158-
if (port->auth_method==uaMD5)
158+
if (port->hba->auth_method==uaMD5)
159159
pfree(crypt_pwd);
160160
if (crypt_client_pass!=client_pass)
161161
pfree(crypt_client_pass);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp