Participants
Peter Eisentraut
Peter Eisentraut
Tom Lane
Tom Lane
Dimitri Fontaine
Dimitri Fontaine
Attachments
Download Latest Patchset
+43-2
Show all attachments
Thread Outline
#1Peter EisentrautPeter Eisentraut
Oct 21, 2010
#2...#3
Tom LaneDimitri Fontaine
to Peter Eisentraut (#1)
Oct 21, 2010
#2Tom LaneTom Laneto Peter Eisentraut (#1)
Oct 21, 2010
#3Dimitri FontaineDimitri Fontaineto Tom Lane (#2)
Oct 21, 2010
#4Peter EisentrautPeter Eisentrautto Peter Eisentraut (#1)
Oct 23, 2010

pg_hba.conf host name wildcard support

Started by Peter Eisentrautover 15 years ago4 messageshackers
Jump to latest
#1Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net

So, as previously indicated, let's add some wildcard support to the
pg_hba.conf host name feature. After looking around a bit, two syntaxes
appear to be on offer:

1. TCP Wrappers style, leading dot indicates suffix match.
So .example.com matches anything.example.com. Not sure how useful that
would be, but it could be implemented in about 3 lines of code.

2. Full regular expressions. I'd suggest the pg_ident.conf style, where
a leading slash indicates a regex. An example could be /^dbserver\d\.
With some code refactoring, this would also only take a few extra lines
of code.

Comments, other ideas?

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Peter Eisentraut (#1)
Re: pg_hba.conf host name wildcard support

Peter Eisentraut <peter_e@gmx.net> writes:

So, as previously indicated, let's add some wildcard support to the
pg_hba.conf host name feature. After looking around a bit, two syntaxes
appear to be on offer:

1. TCP Wrappers style, leading dot indicates suffix match.
So .example.com matches anything.example.com. Not sure how useful that
would be, but it could be implemented in about 3 lines of code.

2. Full regular expressions. I'd suggest the pg_ident.conf style, where
a leading slash indicates a regex. An example could be /^dbserver\d\.
With some code refactoring, this would also only take a few extra lines
of code.

I'd lean to #1 myself. Regexes would be a perpetual foot-gun because
(a) dot is a metacharacter to a regex and (b) a non-anchored pattern
is default but would be insecure in most usages.

There is a SQL-ish solution to those two objections: use LIKE or SIMILAR
TO pattern language not standard regex. But #1 would be far more
familiar to most admin types.

regards, tom lane

#3Dimitri Fontaine
Dimitri Fontaine
dimitri@2ndQuadrant.fr
In reply to: Tom Lane (#2)
Re: pg_hba.conf host name wildcard support

Tom Lane <tgl@sss.pgh.pa.us> writes:

Peter Eisentraut <peter_e@gmx.net> writes:

1. TCP Wrappers style, leading dot indicates suffix match.
So .example.com matches anything.example.com. Not sure how useful that
would be, but it could be implemented in about 3 lines of code.

I'd lean to #1 myself.

FWIW, +1

--
Dimitri Fontaine
http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support

#4Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Peter Eisentraut (#1)
Re: pg_hba.conf host name wildcard support

On tor, 2010-10-21 at 06:38 +0300, Peter Eisentraut wrote:

So, as previously indicated, let's add some wildcard support to the
pg_hba.conf host name feature. After looking around a bit, two syntaxes
appear to be on offer:

1. TCP Wrappers style, leading dot indicates suffix match.
So .example.com matches anything.example.com. Not sure how useful that
would be, but it could be implemented in about 3 lines of code.

Here is a patch for that.

Attachments:

hba-host-pattern.patchtext/x-patch; charset=UTF-8; name=hba-host-pattern.patchDownload+43-2
← Back to Topics