Quick Links

pg_hba.conf host name wildcard support

Lists:	pgsql-hackers

From:	Peter Eisentraut <peter_e(at)gmx(dot)net>
To:	pgsql-hackers(at)postgresql(dot)org
Subject:	pg_hba.conf host name wildcard support
Date:	2010-10-21 03:38:55
Message-ID:	1287632335.25336.6.camel@vanquo.pezone.net
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-hackers

So, as previously indicated, let's add some wildcard support to the
pg_hba.conf host name feature. After looking around a bit, two syntaxes
appear to be on offer:

1. TCP Wrappers style, leading dot indicates suffix match.
So .example.com matches anything.example.com. Not sure how useful that
would be, but it could be implemented in about 3 lines of code.

2. Full regular expressions. I'd suggest the pg_ident.conf style, where
a leading slash indicates a regex. An example could be /^dbserver\d\.
With some code refactoring, this would also only take a few extra lines
of code.

Comments, other ideas?

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc:	pgsql-hackers(at)postgresql(dot)org
Subject:	Re: pg_hba.conf host name wildcard support
Date:	2010-10-21 04:54:26
Message-ID:	13002.1287636866@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-hackers

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> So, as previously indicated, let's add some wildcard support to the
> pg_hba.conf host name feature. After looking around a bit, two syntaxes
> appear to be on offer:

> 1. TCP Wrappers style, leading dot indicates suffix match.
> So .example.com matches anything.example.com. Not sure how useful that
> would be, but it could be implemented in about 3 lines of code.

> 2. Full regular expressions. I'd suggest the pg_ident.conf style, where
> a leading slash indicates a regex. An example could be /^dbserver\d\.
> With some code refactoring, this would also only take a few extra lines
> of code.

I'd lean to #1 myself. Regexes would be a perpetual foot-gun because
(a) dot is a metacharacter to a regex and (b) a non-anchored pattern
is default but would be insecure in most usages.

There is a SQL-ish solution to those two objections: use LIKE or SIMILAR
TO pattern language not standard regex. But #1 would be far more
familiar to most admin types.

regards, tom lane

From:	Dimitri Fontaine <dimitri(at)2ndQuadrant(dot)fr>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: pg_hba.conf host name wildcard support
Date:	2010-10-21 09:49:41
Message-ID:	m2eibjyix6.fsf@2ndQuadrant.fr
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-hackers

Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>> 1. TCP Wrappers style, leading dot indicates suffix match.
>> So .example.com matches anything.example.com. Not sure how useful that
>> would be, but it could be implemented in about 3 lines of code.
>
> I'd lean to #1 myself.

FWIW, +1

--
Dimitri Fontaine
http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support

From:	Peter Eisentraut <peter_e(at)gmx(dot)net>
To:	pgsql-hackers(at)postgresql(dot)org
Subject:	Re: pg_hba.conf host name wildcard support
Date:	2010-10-23 12:19:02
Message-ID:	1287836342.2967.1.camel@vanquo.pezone.net
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-hackers

On tor, 2010-10-21 at 06:38 +0300, Peter Eisentraut wrote:
> So, as previously indicated, let's add some wildcard support to the
> pg_hba.conf host name feature. After looking around a bit, two syntaxes
> appear to be on offer:
>
> 1. TCP Wrappers style, leading dot indicates suffix match.
> So .example.com matches anything.example.com. Not sure how useful that
> would be, but it could be implemented in about 3 lines of code.

Here is a patch for that.

Attachment	Content-Type	Size
hba-host-pattern.patch	text/x-patch	3.9 KB