On Fri, Feb 14, 2014 at 3:32 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Feb 13, 2014 at 11:28:45PM -0600, Jerry Sievers wrote: > > One issue with this is that pg_hba.conf is order sensitive, which could > > become a trap for the unwary if includes are used carelessly. > > Indeed. > > The other thing that comes to mind, is that as opposed to > postgresql.conf and the include scenario there... one can do show all or > query from pg_stat_activity just to see what setting they ended up > with. > > I'm not aware of any way to probe what hba rules are loaded at runtime > and thus, debugging hba config changes not really possible.
In an ideal world we would have a tool where you could plug in a username, database, IP address, and test pg_hba.conf file and it would report what line is matched.
I almost wrote a function you could call to do that a while back. I never finished it though :)
It's not all that hard to do, but requires some minor refactoring of how the HBA code works.
What would also be useful would be to be able to use such a function/tool against a different file than the current HBA one, to verify *before* you reload...