I wrote: > Kyotaro Horiguchi <horikyota....@gmail.com> writes: >> The attached the first patch does that.
> +1, it seems like a clear oversight that the GSSENC patches didn't adjust > these messages. The reason SSL state is mentioned is that it's relevant > to which pg_hba entry gets chosen; and once we invented "hostgssenc" > entries, GSSENC state is also relevant. Thinking a little more about that: there are not four distinct states, because GSS and SSL can't both be enabled (ProcessStartupPacket enforces that). So I propose that instead of adding a new field, we make the existing field say one of three things: "GSS encryption", "SSL encryption", or "no encryption". As per attached. In the back branches, it might be best to spell these as "GSS encryption", "SSL on", and "SSL off", just to minimize the cosmetic change. regards, tom lane
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 3d80930968..45572161cb 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -412,44 +412,37 @@ ClientAuthentication(Port *port) */ { char hostinfo[NI_MAXHOST]; + const char *encryption_state; pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); - if (am_walsender) - { + encryption_state = +#ifdef ENABLE_GSS + port->gss->enc ? _("GSS encryption") : +#endif #ifdef USE_SSL + port->ssl_in_use ? _("SSL encryption") : +#endif + _("no encryption"); + + if (am_walsender) ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"", - hostinfo, port->user_name))); -#endif - } + encryption_state))); else - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, - port->database_name))); -#endif - } + encryption_state))); break; } @@ -465,12 +458,22 @@ ClientAuthentication(Port *port) */ { char hostinfo[NI_MAXHOST]; + const char *encryption_state; pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); + encryption_state = +#ifdef ENABLE_GSS + port->gss->enc ? _("GSS encryption") : +#endif +#ifdef USE_SSL + port->ssl_in_use ? _("SSL encryption") : +#endif + _("no encryption"); + #define HOSTNAME_LOOKUP_DETAIL(port) \ (port->remote_hostname ? \ (port->remote_hostname_resolv == +1 ? \ @@ -493,41 +496,22 @@ ClientAuthentication(Port *port) 0)) if (am_walsender) - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")), + encryption_state), HOSTNAME_LOOKUP_DETAIL(port))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"", - hostinfo, port->user_name), - HOSTNAME_LOOKUP_DETAIL(port))); -#endif - } else - { -#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), + /* translator: last %s describes encryption state */ errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl_in_use ? _("SSL on") : _("SSL off")), - HOSTNAME_LOOKUP_DETAIL(port))); -#else - ereport(FATAL, - (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), - errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, - port->database_name), + encryption_state), HOSTNAME_LOOKUP_DETAIL(port))); -#endif - } break; }