You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add support for file inclusions in HBA and ident configuration files
pg_hba.conf and pg_ident.conf gain support for three record keywords:
- "include", to include a file.
- "include_if_exists", to include a file, ignoring it if missing.
- "include_dir", to include a directory of files. These are classified
by name (C locale, mostly) and need to be prefixed by ".conf", hence
following the same rules as GUCs.
This commit relies on the refactoring pieces done in efc9816, ad6c528,
783e8c6 and 1b73d0b, adding a small wrapper to build a list of
TokenizedAuthLines (tokenize_include_file), and the code is shaped to
offer some symmetry with what is done for GUCs with the same options.
pg_hba_file_rules and pg_ident_file_mappings gain a new field called
file_name, to track from which file a record is located, taking
advantage of the addition of rule_number in c591300 to offer an
organized view of the HBA or ident records loaded.
Bump catalog version.
Author: Julien Rouhaud
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/20220223045959.35ipdsvbxcstrhya@jrouhaud
Copy file name to clipboardExpand all lines: doc/src/sgml/client-auth.sgml
+72-14
Original file line number
Diff line number
Diff line change
@@ -89,8 +89,8 @@
89
89
</para>
90
90
91
91
<para>
92
-
Each record specifies a connection type, a client IP address range
93
-
(if relevant for the connection type), a database name, a user name,
92
+
Each authentication record specifies a connection type, a client IP address
93
+
range (if relevant for the connection type), a database name, a user name,
94
94
and the authentication method to be used for connections matching
95
95
these parameters. The first record with a matching connection type,
96
96
client address, requested database, and user name is used to perform
@@ -100,20 +100,38 @@
100
100
access is denied.
101
101
</para>
102
102
103
+
<para>
104
+
Each record can be an include directive or an authentication record.
105
+
Include directives specify files that can be included, that contain
106
+
additional records. The records will be inserted in place of the
107
+
include records. These records only contain two fields:
108
+
<literal>include</literal>, <literal>include_if_exists</literal> or
109
+
<literal>include_dir</literal> directive and the file or directory to be
110
+
included. The file or directory can be a relative of absolute path, and can
111
+
be double-quoted. For the <literal>include_dir</literal> form, all files
112
+
not starting with a <literal>.</literal> and ending with
113
+
<literal>.conf</literal> will be included. Multiple files within an include
114
+
directory are processed in file name order (according to C locale rules,
115
+
i.e., numbers before letters, and uppercase letters before lowercase ones).
116
+
</para>
117
+
103
118
<para>
104
119
A record can have several formats:
105
120
<synopsis>
106
-
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
0 commit comments