Improve log messages related to pg_hba.conf not matching a connection.

Include details on whether GSS encryption has been activated;
since we added "hostgssenc" type HBA entries, that's relevant info.

Kyotaro Horiguchi and Tom Lane.  Back-patch to v12 where
GSS encryption was introduced.

Discussion: https://postgr.es/m/e5b0b6ed05764324a2f3fe7acfc766d5@smhi.se
This commit is contained in:
Tom Lane 2020-12-28 17:58:58 -05:00
parent 622ae4621e
commit 3995c42498

View File

@ -401,44 +401,37 @@ ClientAuthentication(Port *port)
*/
{
char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo),
NULL, 0,
NI_NUMERICHOST);
if (am_walsender)
{
encryption_state =
#ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
port->ssl_in_use ? _("SSL encryption") :
#endif
_("no encryption");
if (am_walsender)
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
hostinfo, port->user_name)));
#endif
}
encryption_state)));
else
{
#ifdef USE_SSL
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name,
port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name)));
#endif
}
encryption_state)));
break;
}
@ -454,12 +447,22 @@ ClientAuthentication(Port *port)
*/
{
char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo),
NULL, 0,
NI_NUMERICHOST);
encryption_state =
#ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
port->ssl_in_use ? _("SSL encryption") :
#endif
_("no encryption");
#define HOSTNAME_LOOKUP_DETAIL(port) \
(port->remote_hostname ? \
(port->remote_hostname_resolv == +1 ? \
@ -482,41 +485,22 @@ ClientAuthentication(Port *port)
0))
if (am_walsender)
{
#ifdef USE_SSL
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")),
encryption_state),
HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
hostinfo, port->user_name),
HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
else
{
#ifdef USE_SSL
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name,
port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")),
encryption_state),
HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name),
HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
break;
}