rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-10-03 16:56:55 +02:00
Code Issues Packages Projects Releases Wiki Activity
8a94332478
postgresql/src/include/libpq/hba.h

124 lines
2.4 KiB
C
Raw Normal View History

Prepare for new host-based authentication
1996-10-11 11:12:18 +02:00
/*-------------------------------------------------------------------------
*
Change my-function-name-- to my_function_name, and optimizer renames.
1999-02-14 00:22:53 +01:00
* hba.h
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
* Interface to hba.c
Prepare for new host-based authentication
1996-10-11 11:12:18 +02:00
*
*
Remove cvs keywords from all files.
2010-09-20 22:08:53 +02:00
* src/include/libpq/hba.h
Prepare for new host-based authentication
1996-10-11 11:12:18 +02:00
*
*-------------------------------------------------------------------------
*/
#ifndef HBA_H
Massive commit to run PGINDENT on all *.c and *.h files.
1997-09-07 07:04:48 +02:00
#define HBA_H
Prepare for new host-based authentication
1996-10-11 11:12:18 +02:00
Run pgindent on 9.2 source tree in preparation for first 9.3 commit-fest.
2012-06-10 21:20:04 +02:00
#include "libpq/pqcomm.h" /* pgrminclude ignore */ /* needed for NetBSD */
Authentication improvements: A new pg_hba.conf column, USER Allow specifiction of lists of users separated by commas Allow group names specified by + Allow include files containing lists of users specified by @ Allow lists of databases, and database files Allow samegroup in database column to match group name matching dbname Removal of secondary password files Remove pg_passwd utility Lots of code cleanup in user.c and hba.c New data/global/pg_pwd format New data/global/pg_group file
2002-04-04 06:25:54 +02:00
#include "nodes/pg_list.h"
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format. Similar changes were done to pg_hba.conf earlier already, this commit makes pg_ident.conf to behave the same as pg_hba.conf. This has two user-visible effects. First, if pg_ident.conf contains multiple errors, the whole file is parsed at postmaster startup time and all the errors are immediately reported. Before this patch, the file was parsed and the errors were reported only when someone tries to connect using an authentication method that uses the file, and the parsing stopped on first error. Second, if you SIGHUP to reload the config files, and the new pg_ident.conf file contains an error, the error is logged but the old file stays in effect. Also, regular expressions in pg_ident.conf are now compiled only once when the file is loaded, rather than every time the a user is authenticated. That should speed up authentication if you have a lot of regexps in the file. Amit Kapila
2012-09-21 16:41:22 +02:00
#include "regex/regex.h"
Authentication improvements: A new pg_hba.conf column, USER Allow specifiction of lists of users separated by commas Allow group names specified by + Allow include files containing lists of users specified by @ Allow lists of databases, and database files Allow samegroup in database column to match group name matching dbname Removal of secondary password files Remove pg_passwd utility Lots of code cleanup in user.c and hba.c New data/global/pg_pwd format New data/global/pg_group file
2002-04-04 06:25:54 +02:00
Finish up the flat-files project: get rid of GetRawDatabaseInfo() hack in favor of looking at the flat file copy of pg_database during backend startup. This should finally eliminate the various corner cases in which backend startup fails unexpectedly because it isn't able to distinguish live and dead tuples in pg_database. Simplify locking on pg_database to be similar to the rules used with pg_shadow and pg_group, and eliminate FlushRelationBuffers operations that were used only to reduce the odds of failure of GetRawDatabaseInfo. initdb forced due to addition of a trigger to pg_database.
2005-02-26 19:43:34 +01:00
Invent pg_hba_file_rules view to show the content of pg_hba.conf. This view is designed along the same lines as pg_file_settings, to wit it shows what is currently in the file, not what the postmaster has loaded as the active settings. That allows it to be used to pre-vet edits before issuing SIGHUP. As with the earlier view, go out of our way to allow errors in the file to be reflected in the view, to assist that use-case. (We might at some point invent a view to show the current active settings, but this is not that patch; and it's not trivial to do.) Haribabu Kommi, reviewed by Ashutosh Bapat, Michael Paquier, Simon Riggs, and myself Discussion: https://postgr.es/m/CAJrrPGerH4jiwpcXT1-46QXUDmNp2QDrG9+-Tek_xC8APHShYw@mail.gmail.com
2017-01-31 00:00:26 +01:00
/*
* The following enum represents the authentication methods that
* are supported by PostgreSQL.
*
* Note: keep this in sync with the UserAuthName array in hba.c.
*/
pgindent run before 6.3 release, with Thomas' requested changes.
1998-02-26 05:46:47 +01:00
typedef enum UserAuth
{
Another pgindent run. Fixes enum indenting, and improves #endif spacing. Also adds space for one-line comments.
2001-10-28 07:26:15 +01:00
uaReject,
Invent pg_hba_file_rules view to show the content of pg_hba.conf. This view is designed along the same lines as pg_file_settings, to wit it shows what is currently in the file, not what the postmaster has loaded as the active settings. That allows it to be used to pre-vet edits before issuing SIGHUP. As with the earlier view, go out of our way to allow errors in the file to be reflected in the view, to assist that use-case. (We might at some point invent a view to show the current active settings, but this is not that patch; and it's not trivial to do.) Haribabu Kommi, reviewed by Ashutosh Bapat, Michael Paquier, Simon Riggs, and myself Discussion: https://postgr.es/m/CAJrrPGerH4jiwpcXT1-46QXUDmNp2QDrG9+-Tek_xC8APHShYw@mail.gmail.com
2017-01-31 00:00:26 +01:00
uaImplicitReject, /* Not a user-visible option */
Another pgindent run. Fixes enum indenting, and improves #endif spacing. Also adds space for one-line comments.
2001-10-28 07:26:15 +01:00
uaTrust,
uaIdent,
uaPassword,
Add support for GSSAPI authentication. Documentation still being written, will be committed later. Henry B. Hotz and Magnus Hagander
2007-07-10 15:14:22 +02:00
uaMD5,
Allow SCRAM authentication, when pg_hba.conf says 'md5'. If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason we cannot attempt to perform SCRAM authentication instead of MD5. The worst that can happen is that the client doesn't support SCRAM, and the authentication will fail. But previously, it would fail for sure, because we would not even try. SCRAM is strictly more secure than MD5, so there's no harm in trying it. This allows for a more graceful transition from MD5 passwords to SCRAM, as user passwords can be changed to SCRAM verifiers incrementally, without changing pg_hba.conf. Refactor the code in auth.c to support that better. Notably, we now have to look up the user's pg_authid entry before sending the password challenge, also when performing MD5 authentication. Also simplify the concept of a "doomed" authentication. Previously, if a user had a password, but it had expired, we still performed SCRAM authentication (but always returned error at the end) using the salt and iteration count from the expired password. Now we construct a fake salt, like we do when the user doesn't have a password or doesn't exist at all. That simplifies get_role_password(), and we can don't need to distinguish the "user has expired password", and "user does not exist" cases in auth.c. On second thoughts, also rename uaSASL to uaSCRAM. It refers to the mechanism specified in pg_hba.conf, and while we use SASL for SCRAM authentication at the protocol level, the mechanism should be called SCRAM, not SASL. As a comparison, we have uaLDAP, even though it looks like the plain 'password' authentication at the protocol level. Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
uaSCRAM,
SSPI authentication on Windows. GSSAPI compatible client when doing Kerberos against a Unix server, and Windows-specific server-side authentication using SSPI "negotiate" method (Kerberos or NTLM). Only builds properly with MSVC for now.
2007-07-23 12:16:54 +02:00
uaGSS,
* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.
2008-10-23 15:31:10 +02:00
uaSSPI,
uaPAM,
Add BSD authentication method. Create a "bsd" auth method that works the same as "password" so far as clients are concerned, but calls the BSD Authentication service to check the password. This is currently only available on OpenBSD. Marisa Emerson, reviewed by Thomas Munro
2016-04-08 19:51:54 +02:00
uaBSD,
Add support for using SSL client certificates to authenticate to the database (only for SSL connections, obviously).
2008-11-20 12:48:26 +01:00
uaLDAP,
Add support for RADIUS authentication.
2010-01-27 13:12:00 +01:00
uaCert,
Rename ident authentication over local connections to peer This removes an overloading of two authentication options where one is very secure (peer) and one is often insecure (ident). Peer is also the name used in libpq from 9.1 to specify the same type of authentication. Also make initdb select peer for local connections when ident is chosen, and ident for TCP connections when peer is chosen. ident keyword in pg_hba.conf is still accepted and maps to peer authentication.
2011-03-19 18:44:35 +01:00
uaRADIUS,
uaPeer
Invent pg_hba_file_rules view to show the content of pg_hba.conf. This view is designed along the same lines as pg_file_settings, to wit it shows what is currently in the file, not what the postmaster has loaded as the active settings. That allows it to be used to pre-vet edits before issuing SIGHUP. As with the earlier view, go out of our way to allow errors in the file to be reflected in the view, to assist that use-case. (We might at some point invent a view to show the current active settings, but this is not that patch; and it's not trivial to do.) Haribabu Kommi, reviewed by Ashutosh Bapat, Michael Paquier, Simon Riggs, and myself Discussion: https://postgr.es/m/CAJrrPGerH4jiwpcXT1-46QXUDmNp2QDrG9+-Tek_xC8APHShYw@mail.gmail.com
2017-01-31 00:00:26 +01:00
#define USER_AUTH_LAST uaPeer /* Must be last value of this enum */
From: Phil Thompson <phil@river-bank.demon.co.uk> I've completed the patch to fix the protocol and authentication issues I was discussing a couple of weeks ago. The particular changes are: - the protocol has a version number - network byte order is used throughout - the pg_hba.conf file is used to specify what method is used to authenticate a frontend (either password, ident, trust, reject, krb4 or krb5) - support for multiplexed backends is removed - appropriate changes to man pages - the -a switch to many programs to specify an authentication service no longer has any effect - the libpq.so version number has changed to 1.1 The new backend still supports the old protocol so old interfaces won't break.
1998-01-26 02:42:53 +01:00
} UserAuth;
Support "samehost" and "samenet" specifications in pg_hba.conf, by enumerating the machine's IP interfaces to look for a match. Stef Walter
2009-10-01 03:58:58 +02:00
typedef enum IPCompareMethod
{
ipCmpMask,
ipCmpSameHost,
Support key word 'all' in host column of pg_hba.conf
2010-10-18 21:14:47 +02:00
ipCmpSameNet,
ipCmpAll
Support "samehost" and "samenet" specifications in pg_hba.conf, by enumerating the machine's IP interfaces to look for a match. Stef Walter
2009-10-01 03:58:58 +02:00
} IPCompareMethod;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
typedef enum ConnType
{
ctLocal,
ctHost,
ctHostSSL,
ctHostNoSSL
} ConnType;
Modernise pg_hba.conf token processing The previous coding was ugly, as it marked special tokens as such in the wrong stage, relying on workarounds to figure out if they had been quoted in the original or not. This made it impossible to have specific keywords be recognized as such only in certain positions in HBA lines, for example. Fix by restructuring the parser code so that it remembers whether tokens were quoted or not. This eliminates widespread knowledge of possible known keywords for all fields. Also improve memory management in this area, to use memory contexts that are reset as a whole instead of using retail pfrees; this removes a whole lotta crufty (and probably slow) code. Instead of calling strlen() three times in next_field_expand on the returned token to find out whether there was a comma (and strip it), pass back the info directly from the callee, which is simpler. In passing, update historical artifacts in hba.c API. Authors: Brendan Jurd, Alvaro Herrera Reviewed by Pavel Stehule
2011-06-20 23:20:14 +02:00
typedef struct HbaLine
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
{
int linenumber;
Report pg_hba line number and contents when users fail to log in Instead of just reporting which user failed to log in, log both the line number in the active pg_hba.conf file (which may not match reality in case the file has been edited and not reloaded) and the contents of the matching line (which will always be correct), to make it easier to debug incorrect pg_hba.conf files. The message to the client remains unchanged and does not include this information, to prevent leaking security sensitive information. Reviewed by Tom Lane and Dean Rasheed
2013-03-10 15:54:37 +01:00
char *rawline;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
ConnType conntype;
Modernise pg_hba.conf token processing The previous coding was ugly, as it marked special tokens as such in the wrong stage, relying on workarounds to figure out if they had been quoted in the original or not. This made it impossible to have specific keywords be recognized as such only in certain positions in HBA lines, for example. Fix by restructuring the parser code so that it remembers whether tokens were quoted or not. This eliminates widespread knowledge of possible known keywords for all fields. Also improve memory management in this area, to use memory contexts that are reset as a whole instead of using retail pfrees; this removes a whole lotta crufty (and probably slow) code. Instead of calling strlen() three times in next_field_expand on the returned token to find out whether there was a comma (and strip it), pass back the info directly from the callee, which is simpler. In passing, update historical artifacts in hba.c API. Authors: Brendan Jurd, Alvaro Herrera Reviewed by Pavel Stehule
2011-06-20 23:20:14 +02:00
List *databases;
List *roles;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
struct sockaddr_storage addr;
struct sockaddr_storage mask;
Support "samehost" and "samenet" specifications in pg_hba.conf, by enumerating the machine's IP interfaces to look for a match. Stef Walter
2009-10-01 03:58:58 +02:00
IPCompareMethod ip_cmp_method;
Support host names in pg_hba.conf Peter Eisentraut, reviewed by KaiGai Kohei and Tom Lane
2010-10-15 21:53:39 +02:00
char *hostname;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
UserAuth auth_method;
* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.
2008-10-23 15:31:10 +02:00
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
char *usermap;
* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.
2008-10-23 15:31:10 +02:00
char *pamservice;
Set PAM_RHOST item for PAM authentication The PAM_RHOST item is set to the remote IP address or host name and can be used by PAM modules. A pg_hba.conf option is provided to choose between IP address and resolved host name. From: Grzegorz Sampolski <grzsmp@gmail.com> Reviewed-by: Haribabu Kommi <kommi.haribabu@gmail.com>
2016-04-08 16:45:16 +02:00
bool pam_use_hostname;
* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.
2008-10-23 15:31:10 +02:00
bool ldaptls;
char *ldapserver;
int ldapport;
Allow LDAP authentication to operate in search+bind mode, meaning it does a search for the user in the directory first, and then binds with the DN found for this user. This allows for LDAP logins in scenarios where the DN of the user cannot be determined simply by prefix and suffix, such as the case where different users are located in different containers. The old way of authentication can be significantly faster, so it's kept as an option. Robert Fleming and Magnus Hagander
2009-12-12 22:35:21 +01:00
char *ldapbinddn;
char *ldapbindpasswd;
char *ldapsearchattribute;
char *ldapbasedn;
Add support for LDAP URLs Allow specifying LDAP authentication parameters as RFC 4516 LDAP URLs.
2012-12-04 05:29:56 +01:00
int ldapscope;
* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.
2008-10-23 15:31:10 +02:00
char *ldapprefix;
char *ldapsuffix;
Control client certificate requesting with the pg_hba option "clientcert" instead of just relying on the root certificate file to be present.
2008-11-20 10:29:36 +01:00
bool clientcert;
Allow krb_realm (krb5, gssapi and sspi) and krb_server_hostname (krb5 only) authentication options to be set in pg_hba.conf on a per-line basis, to override the defaults set in postgresql.conf.
2009-01-07 13:38:11 +01:00
char *krb_realm;
Add hba parameter include_realm to krb5, gss and sspi authentication, used to pass the full username@realm string to the authentication instead of just the username. This makes it possible to use pg_ident.conf to authenticate users from multiple realms as different database users.
2009-01-07 14:09:21 +01:00
bool include_realm;
Add authentication parameters compat_realm and upn_usename for SSPI These parameters are available for SSPI authentication only, to make it possible to make it behave more like "normal gssapi", while making it possible to maintain compatibility. compat_realm is on by default, but can be turned off to make the authentication use the full Kerberos realm instead of the NetBIOS name. upn_username is off by default, and can be turned on to return the users Kerberos UPN rather than the SAM-compatible name (a user in Active Directory can have both a legacy SAM-compatible username and a new Kerberos one. Normally they are the same, but not always) Author: Christian Ullrich Reviewed by: Robbie Harwood, Alvaro Herrera, me
2016-04-08 20:23:52 +02:00
bool compat_realm;
bool upn_username;
Support multiple RADIUS servers This changes all the RADIUS related parameters (radiusserver, radiussecret, radiusport, radiusidentifier) to be plural and to accept a comma separated list of servers, which will be tried in order. Reviewed by Adam Brightwell
2017-03-22 17:55:16 +01:00
List *radiusservers;
char *radiusservers_s;
List *radiussecrets;
char *radiussecrets_s;
List *radiusidentifiers;
char *radiusidentifiers_s;
List *radiusports;
char *radiusports_s;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
} HbaLine;
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format. Similar changes were done to pg_hba.conf earlier already, this commit makes pg_ident.conf to behave the same as pg_hba.conf. This has two user-visible effects. First, if pg_ident.conf contains multiple errors, the whole file is parsed at postmaster startup time and all the errors are immediately reported. Before this patch, the file was parsed and the errors were reported only when someone tries to connect using an authentication method that uses the file, and the parsing stopped on first error. Second, if you SIGHUP to reload the config files, and the new pg_ident.conf file contains an error, the error is logged but the old file stays in effect. Also, regular expressions in pg_ident.conf are now compiled only once when the file is loaded, rather than every time the a user is authenticated. That should speed up authentication if you have a lot of regexps in the file. Amit Kapila
2012-09-21 16:41:22 +02:00
typedef struct IdentLine
{
pgindent run for release 9.3 This is the first run of the Perl-based pgindent script. Also update pgindent instructions.
2013-05-29 22:58:43 +02:00
int linenumber;
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format. Similar changes were done to pg_hba.conf earlier already, this commit makes pg_ident.conf to behave the same as pg_hba.conf. This has two user-visible effects. First, if pg_ident.conf contains multiple errors, the whole file is parsed at postmaster startup time and all the errors are immediately reported. Before this patch, the file was parsed and the errors were reported only when someone tries to connect using an authentication method that uses the file, and the parsing stopped on first error. Second, if you SIGHUP to reload the config files, and the new pg_ident.conf file contains an error, the error is logged but the old file stays in effect. Also, regular expressions in pg_ident.conf are now compiled only once when the file is loaded, rather than every time the a user is authenticated. That should speed up authentication if you have a lot of regexps in the file. Amit Kapila
2012-09-21 16:41:22 +02:00
char *usermap;
char *ident_user;
char *pg_role;
pgindent run for release 9.3 This is the first run of the Perl-based pgindent script. Also update pgindent instructions.
2013-05-29 22:58:43 +02:00
regex_t re;
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format. Similar changes were done to pg_hba.conf earlier already, this commit makes pg_ident.conf to behave the same as pg_hba.conf. This has two user-visible effects. First, if pg_ident.conf contains multiple errors, the whole file is parsed at postmaster startup time and all the errors are immediately reported. Before this patch, the file was parsed and the errors were reported only when someone tries to connect using an authentication method that uses the file, and the parsing stopped on first error. Second, if you SIGHUP to reload the config files, and the new pg_ident.conf file contains an error, the error is logged but the old file stays in effect. Also, regular expressions in pg_ident.conf are now compiled only once when the file is loaded, rather than every time the a user is authenticated. That should speed up authentication if you have a lot of regexps in the file. Amit Kapila
2012-09-21 16:41:22 +02:00
} IdentLine;
Remove the use of the pg_auth flat file for client authentication. (That flat file is now completely useless, but removal will come later.) To do this, postpone client authentication into the startup transaction that's run by InitPostgres. We still collect the startup packet and do SSL initialization (if needed) at the same time we did before. The AuthenticationTimeout is applied separately to startup packet collection and the actual authentication cycle. (This is a bit annoying, since it means a couple extra syscalls; but the signal handling requirements inside and outside a transaction are sufficiently different that it seems best to treat the timeouts as completely independent.) A small security disadvantage is that if the given database name is invalid, this will be reported to the client before any authentication happens. We could work around that by connecting to database "postgres" instead, but consensus seems to be that it's not worth introducing such surprising behavior. Processing of all command-line switches and GUC options received from the client is now postponed until after authentication. This means that PostAuthDelay is much less useful than it used to be --- if you need to investigate problems during InitPostgres you'll have to set PreAuthDelay instead. However, allowing an unauthenticated user to set any GUC options whatever seems a bit too risky, so we'll live with that.
2009-08-29 21:26:52 +02:00
/* kluge to avoid including libpq/libpq-be.h here */
Lots of patches coming in from me today :-) When drawing up a very simple "text-drawing" of how the negotiation is done, I realised I had done this last part (fallback) in a very stupid way. Patch #4 fixes this, and does it in a much better way. Included is also the simple text-drawing of how the negotiation is done. //Magnus
1999-09-27 05:13:16 +02:00
typedef struct Port hbaPort;
Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.
2008-09-15 14:32:57 +02:00
extern bool load_hba(void);
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format. Similar changes were done to pg_hba.conf earlier already, this commit makes pg_ident.conf to behave the same as pg_hba.conf. This has two user-visible effects. First, if pg_ident.conf contains multiple errors, the whole file is parsed at postmaster startup time and all the errors are immediately reported. Before this patch, the file was parsed and the errors were reported only when someone tries to connect using an authentication method that uses the file, and the parsing stopped on first error. Second, if you SIGHUP to reload the config files, and the new pg_ident.conf file contains an error, the error is logged but the old file stays in effect. Also, regular expressions in pg_ident.conf are now compiled only once when the file is loaded, rather than every time the a user is authenticated. That should speed up authentication if you have a lot of regexps in the file. Amit Kapila
2012-09-21 16:41:22 +02:00
extern bool load_ident(void);
Modernise pg_hba.conf token processing The previous coding was ugly, as it marked special tokens as such in the wrong stage, relying on workarounds to figure out if they had been quoted in the original or not. This made it impossible to have specific keywords be recognized as such only in certain positions in HBA lines, for example. Fix by restructuring the parser code so that it remembers whether tokens were quoted or not. This eliminates widespread knowledge of possible known keywords for all fields. Also improve memory management in this area, to use memory contexts that are reset as a whole instead of using retail pfrees; this removes a whole lotta crufty (and probably slow) code. Instead of calling strlen() three times in next_field_expand on the returned token to find out whether there was a comma (and strip it), pass back the info directly from the callee, which is simpler. In passing, update historical artifacts in hba.c API. Authors: Brendan Jurd, Alvaro Herrera Reviewed by Pavel Stehule
2011-06-20 23:20:14 +02:00
extern void hba_getauthmethod(hbaPort *port);
8.4 pgindent run, with new combined Linux/FreeBSD/MinGW typedef list provided by Andrew.
2009-06-11 16:49:15 +02:00
extern int check_usermap(const char *usermap_name,
const char *pg_role, const char *auth_user,
bool case_sensitive);
Move ident authentication code into auth.c along with the other authenciation routines, leaving hba.c to deal only with processing the HBA specific files.
2008-08-01 11:09:49 +02:00
extern bool pg_isblank(const char c);
Another pgindent run. Fixes enum indenting, and improves #endif spacing. Also adds space for one-line comments.
2001-10-28 07:26:15 +01:00
Standard pgindent run for 8.1.
2005-10-15 04:49:52 +02:00
#endif /* HBA_H */
Reference in New Issue Copy Permalink