database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-02 11:44:50 +03:00
Code

Improve log messages related to pg_hba.conf not matching a connection.

Browse Source 
Include details on whether GSS encryption has been activated;
since we added "hostgssenc" type HBA entries, that's relevant info.

Kyotaro Horiguchi and Tom Lane.  Back-patch to v12 where
GSS encryption was introduced.

Discussion: https://postgr.es/m/e5b0b6ed05764324a2f3fe7acfc766d5@smhi.se
This commit is contained in:
Tom Lane 2020-12-28 17:58:58 -05:00
parent c1c88bf03e
commit d05e14d786
1 changed files with 28 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
src/backend/libpq/auth.c
View File

@ -401,44 +401,37 @@ ClientAuthentication(Port *port)
*/ */
{ {
char hostinfo[NI_MAXHOST]; char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo), hostinfo, sizeof(hostinfo),
NULL, 0, NULL, 0,
NI_NUMERICHOST); NI_NUMERICHOST);
if (am_walsender) encryption_state =
{ #ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL #ifdef USE_SSL
port->ssl_in_use ? _("SSL on") :
#endif
_("SSL off");
if (am_walsender)
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")))); encryption_state)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
hostinfo, port->user_name)));
#endif
}
else else
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->database_name, port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")))); encryption_state)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name)));
#endif
}
break; break;
} }
@ -454,12 +447,22 @@ ClientAuthentication(Port *port)
*/ */
{ {
char hostinfo[NI_MAXHOST]; char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo), hostinfo, sizeof(hostinfo),
NULL, 0, NULL, 0,
NI_NUMERICHOST); NI_NUMERICHOST);
encryption_state =
#ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
port->ssl_in_use ? _("SSL on") :
#endif
_("SSL off");
#define HOSTNAME_LOOKUP_DETAIL(port) \ #define HOSTNAME_LOOKUP_DETAIL(port) \
(port->remote_hostname ? \ (port->remote_hostname ? \
(port->remote_hostname_resolv == +1 ? \ (port->remote_hostname_resolv == +1 ? \
@ -482,41 +485,22 @@ ClientAuthentication(Port *port)
0)) 0))
if (am_walsender) if (am_walsender)
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")), encryption_state),
HOSTNAME_LOOKUP_DETAIL(port))); HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
hostinfo, port->user_name),
HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
else else
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->database_name, port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")), encryption_state),
HOSTNAME_LOOKUP_DETAIL(port))); HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name),
HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
break; break;
} }