Re: [PATCH] HINT: pg_hba.conf changed since last config reload

On 2015-01-16 12:21:13 -0500, Tom Lane wrote:
> Andres Freund <andres(at)2ndquadrant(dot)com> writes:
> > Why don't we just add emit a NOTICE or WARNING in the relevant place
> > saying that pg_hba.conf is outdated? Then the server won't log those if
> > configured appropriately, which doesn't seem like a bad thing. Note that
> > <= ERROR messages aren't sent to the client during authentication.
>
> I think people felt that sending that information to the client wouldn't
> be a good idea security-wise.

It won't if issued during the right phase of the authentication:
/*
* client_min_messages is honored only after we complete the
* authentication handshake. This is required both for security
* reasons and because many clients can't handle NOTICE messages
* during authentication.
*/
if (ClientAuthInProgress)
output_to_client = (elevel >= ERROR);
else
output_to_client = (elevel >= client_min_messages ||
elevel == INFO);
}

Surely deserves a comment on the emitting site.

> But I'd phrase it as "why not just emit a LOG message?".

Well, LOGs can be sent to the client just the same, no? Just requires a
nondefault client_min_messages.

But as I don't think sending logs to the client is a unsurmountable
problem (due to the above) I don't really care if we use WARNING or LOG.

Greetings,

Andres Freund

--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services