From 3995c424984e991b1069a2869af972dc07574c0b Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 28 Dec 2020 17:58:58 -0500 Subject: [PATCH] Improve log messages related to pg_hba.conf not matching a connection. Include details on whether GSS encryption has been activated; since we added "hostgssenc" type HBA entries, that's relevant info. Kyotaro Horiguchi and Tom Lane. Back-patch to v12 where GSS encryption was introduced. Discussion: https://postgr.es/m/e5b0b6ed05764324a2f3fe7acfc766d5@smhi.se --- src/backend/libpq/auth.c | 72 ++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 44 deletions(-) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index d4ec965934..515ae95fe1 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -401,44 +401,37 @@ ClientAuthentication(Port *port) */ { char hostinfo[NI_MAXHOST]; + const char *encryption_state; pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); - if (am_walsender) - { + encryption_state = +#ifdef ENABLE_GSS + (port->gss && port->gss->enc) ? _("GSS encryption") : +#endif #ifdef USE_SSL + port->ssl_in_use ? _("SSL encryption") : +#endif + _("no encryption"); + + if (am_walsender) ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"", - hostinfo, port->user_name))); -#endif - } + encryption_state))); else - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, - port->database_name))); -#endif - } + encryption_state))); break; } @@ -454,12 +447,22 @@ ClientAuthentication(Port *port) */ { char hostinfo[NI_MAXHOST]; + const char *encryption_state; pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); + encryption_state = +#ifdef ENABLE_GSS + (port->gss && port->gss->enc) ? _("GSS encryption") : +#endif +#ifdef USE_SSL + port->ssl_in_use ? _("SSL encryption") : +#endif + _("no encryption"); + #define HOSTNAME_LOOKUP_DETAIL(port) \ (port->remote_hostname ? \ (port->remote_hostname_resolv == +1 ? \ @@ -482,41 +485,22 @@ ClientAuthentication(Port *port) 0)) if (am_walsender) - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")), + encryption_state), HOSTNAME_LOOKUP_DETAIL(port))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"", - hostinfo, port->user_name), - HOSTNAME_LOOKUP_DETAIL(port))); -#endif - } else - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")), + encryption_state), HOSTNAME_LOOKUP_DETAIL(port))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, - port->database_name), - HOSTNAME_LOOKUP_DETAIL(port))); -#endif - } break; }