Andrew Dunstan wrote:
Tino Wildenhain wrote:
...
I dont think it has to be ordered preliminary. Since we are
dealing with subnets and stuff - the ordering already lays
in the data - just like routing tables work: most specific
matches first.
I could think of a solution where pg_hba.conf just
overrides the database table (so you have a starting
point with empty table and/or reentry in case of a
mistake)
...
We don't have the luxury of being able just to throw out old stuff
because we think it might be neater to do it another way. The current
rules for HBA are order dependent. The issue raised as I understood it
was not to invent a new scheme but to be able to manage it from inside a
postgres session.
Not sure about the luxury - iirc there was some change in the format
of pg_hba.conf anyway over the time and beside pgadmin3 I dont see
many tools to edit this file (apart from the usual text editor ;)
So I dont see a strong reason to keep it the way it is now just for
some legacy nobody depends on anyway. Alternatively there could
be something like security.conf or the like which depreciates
pg_hba.conf - so if pg_hba.conf is there any has any active
entry in it - things would be like they are now.
if not, then security.conf and the system table would
work like designed, having security.conf read before the table.
A pg_securitydump or the like could be usefull to dump the table
to a file in the security.conf format.
Regards
Tino
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
