You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Add support for file inclusions in HBA and ident configuration files
pg_hba.conf and pg_ident.conf gain support for three record keywords:- "include", to include a file.- "include_if_exists", to include a file, ignoring it if missing.- "include_dir", to include a directory of files. These are classifiedby name (C locale, mostly) and need to be prefixed by ".conf", hencefollowing the same rules as GUCs.This commit relies on the refactoring pieces done inefc9816,ad6c528,783e8c6 and1b73d0b, adding a small wrapper to build a list ofTokenizedAuthLines (tokenize_include_file), and the code is shaped tooffer some symmetry with what is done for GUCs with the same options.pg_hba_file_rules and pg_ident_file_mappings gain a new field calledfile_name, to track from which file a record is located, takingadvantage of the addition of rule_number inc591300 to offer anorganized view of the HBA or ident records loaded.Bump catalog version.Author: Julien RouhaudReviewed-by: Michael PaquierDiscussion:https://postgr.es/m/20220223045959.35ipdsvbxcstrhya@jrouhaud
Copy file name to clipboardExpand all lines: doc/src/sgml/client-auth.sgml
+72-14Lines changed: 72 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -89,8 +89,8 @@
89
89
</para>
90
90
91
91
<para>
92
-
Each record specifies a connection type, a client IP address range
93
-
(if relevant for the connection type), a database name, a user name,
92
+
Eachauthenticationrecord specifies a connection type, a client IP address
93
+
range(if relevant for the connection type), a database name, a user name,
94
94
and the authentication method to be used for connections matching
95
95
these parameters. The first record with a matching connection type,
96
96
client address, requested database, and user name is used to perform
@@ -100,20 +100,38 @@
100
100
access is denied.
101
101
</para>
102
102
103
+
<para>
104
+
Each record can be an include directive or an authentication record.
105
+
Include directives specify files that can be included, that contain
106
+
additional records. The records will be inserted in place of the
107
+
include records. These records only contain two fields:
108
+
<literal>include</literal>, <literal>include_if_exists</literal> or
109
+
<literal>include_dir</literal> directive and the file or directory to be
110
+
included. The file or directory can be a relative of absolute path, and can
111
+
be double-quoted. For the <literal>include_dir</literal> form, all files
112
+
not starting with a <literal>.</literal> and ending with
113
+
<literal>.conf</literal> will be included. Multiple files within an include
114
+
directory are processed in file name order (according to C locale rules,
115
+
i.e., numbers before letters, and uppercase letters before lowercase ones).
116
+
</para>
117
+
103
118
<para>
104
119
A record can have several formats:
105
120
<synopsis>
106
-
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>