Re: HBA files w/include support?

Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:

> Bruce Momjian wrote:
>
>> On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
>> > Greetings Hackers.
>> >
>> > I'm aware of how a pg_hba.conf file can refer to other files for
>> > including @lists of users, etc.
>> >
>> > But there is currently no support for being able to pull in entire file
>> > segments as can be done for postgresql.conf via the include directive.
>
>> I have never heard of anyone request this.
>
> On the contrary, I have vague memories that this has been discussed and
> agreed upon; we have just never implemented it.

Interesting and it'd surprise me if no one has ever wanted the feature.

>
> One issue with this is that pg_hba.conf is order sensitive, which could
> become a trap for the unwary if includes are used carelessly.

Indeed.

The other thing that comes to mind, is that as opposed to
postgresql.conf and the include scenario there... one can do show all or
query from pg_stat_activity just to see what setting they ended up
with.

I'm not aware of any way to probe what hba rules are loaded at runtime
and thus, debugging hba config changes not really possible.

I presume that a simple scenario involving just 1 level of includes not
too difficult to grok but nested includes sure might be a foot gun
unless there was a way to dump the resulting configs somehow.

Thus pasting hba files together externally a more reliable approach.

Thanks

--
Jerry Sievers
Postgres DBA/Development Consulting
e: postgres(dot)consulting(at)comcast(dot)net
p: 312.241.7800