[HACKERS] include host names in hba error messages

Mon, 18 Jul 2011 23:18:50 -0700 

Since we are accepting host names in pg_hba.conf now, I figured it could
be useful to also show the host names in error message, e.g.,

    no pg_hba.conf entry for host "localhost" (127.0.0.1), user "x", database 
"y"

Attached is an example patch.  The question might be what criterion to
use for when to show the host name.  It could be

    if (port->remote_hostname_resolv == +1)

that is, we have done the reverse and forward lookup, or

    if (port->remote_hostname_resolv >= 0)

that is, we have only done the reverse lookup (which is consistent with
log_hostname).

Although this whole thing could be quite weird, because the message that
a host name was rejected because the forward lookup didn't match the IP
address is at DEBUG2, so it's usually never shown.  So if we tell
someone that there is 'no pg_hba.conf entry for host "foo"', even though
there is clearly a line saying "foo" in the file, it would be confusing.

Ideas?


diff --git i/src/backend/libpq/auth.c w/src/backend/libpq/auth.c
index 7799111..3701672 100644
--- i/src/backend/libpq/auth.c
+++ w/src/backend/libpq/auth.c
@@ -442,33 +442,61 @@ ClientAuthentication(Port *port)
 				if (am_walsender)
 				{
 #ifdef USE_SSL
-					ereport(FATAL,
-					   (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
-							   hostinfo, port->user_name,
-							   port->ssl ? _("SSL on") : _("SSL off"))));
+					if (port->remote_hostname_resolv == +1)
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for replication connection from host \"%s\" (%s), user \"%s\", %s",
+										port->remote_hostname, hostinfo, port->user_name,
+										port->ssl ? _("SSL on") : _("SSL off"))));
+					else
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
+										hostinfo, port->user_name,
+										port->ssl ? _("SSL on") : _("SSL off"))));
 #else
-					ereport(FATAL,
-					   (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
-							   hostinfo, port->user_name)));
+					if (port->remote_hostname_resolv == +1)
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for replication connection from host \"%s\" (%s), user \"%s\"",
+										port->remote_hostname, hostinfo, port->user_name)));
+					else
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
+										hostinfo, port->user_name)));
 #endif
 				}
 				else
 				{
 #ifdef USE_SSL
-					ereport(FATAL,
-					   (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
-							   hostinfo, port->user_name,
-							   port->database_name,
-							   port->ssl ? _("SSL on") : _("SSL off"))));
+					if (port->remote_hostname_resolv == +1)
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for host \"%s\" (%s), user \"%s\", database \"%s\", %s",
+										port->remote_hostname, hostinfo, port->user_name,
+										port->database_name,
+										port->ssl ? _("SSL on") : _("SSL off"))));
+					else
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
+										hostinfo, port->user_name,
+										port->database_name,
+										port->ssl ? _("SSL on") : _("SSL off"))));
 #else
-					ereport(FATAL,
-					   (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
-							   hostinfo, port->user_name,
-							   port->database_name)));
+					if (port->remote_hostname_resolv == +1)
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for host \"%s\" (%s), user \"%s\", database \"%s\"",
+										port->remote_hostname, hostinfo, port->user_name,
+										port->database_name)));
+					else
+						ereport(FATAL,
+								(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+								 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
+										hostinfo, port->user_name,
+										port->database_name)));
 #endif
 				}
 				break;

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to