Commit 3995c424 authored by Tom Lane's avatar Tom Lane

Improve log messages related to pg_hba.conf not matching a connection.

Include details on whether GSS encryption has been activated;
since we added "hostgssenc" type HBA entries, that's relevant info.

Kyotaro Horiguchi and Tom Lane.  Back-patch to v12 where
GSS encryption was introduced.

Discussion: https://postgr.es/m/e5b0b6ed05764324a2f3fe7acfc766d5@smhi.se
parent 622ae462
...@@ -401,44 +401,37 @@ ClientAuthentication(Port *port) ...@@ -401,44 +401,37 @@ ClientAuthentication(Port *port)
*/ */
{ {
char hostinfo[NI_MAXHOST]; char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo), hostinfo, sizeof(hostinfo),
NULL, 0, NULL, 0,
NI_NUMERICHOST); NI_NUMERICHOST);
if (am_walsender) encryption_state =
{ #ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL #ifdef USE_SSL
port->ssl_in_use ? _("SSL encryption") :
#endif
_("no encryption");
if (am_walsender)
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")))); encryption_state)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
hostinfo, port->user_name)));
#endif
}
else else
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->database_name, port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")))); encryption_state)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name)));
#endif
}
break; break;
} }
...@@ -454,12 +447,22 @@ ClientAuthentication(Port *port) ...@@ -454,12 +447,22 @@ ClientAuthentication(Port *port)
*/ */
{ {
char hostinfo[NI_MAXHOST]; char hostinfo[NI_MAXHOST];
const char *encryption_state;
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
hostinfo, sizeof(hostinfo), hostinfo, sizeof(hostinfo),
NULL, 0, NULL, 0,
NI_NUMERICHOST); NI_NUMERICHOST);
encryption_state =
#ifdef ENABLE_GSS
(port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
port->ssl_in_use ? _("SSL encryption") :
#endif
_("no encryption");
#define HOSTNAME_LOOKUP_DETAIL(port) \ #define HOSTNAME_LOOKUP_DETAIL(port) \
(port->remote_hostname ? \ (port->remote_hostname ? \
(port->remote_hostname_resolv == +1 ? \ (port->remote_hostname_resolv == +1 ? \
...@@ -482,41 +485,22 @@ ClientAuthentication(Port *port) ...@@ -482,41 +485,22 @@ ClientAuthentication(Port *port)
0)) 0))
if (am_walsender) if (am_walsender)
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")), encryption_state),
HOSTNAME_LOOKUP_DETAIL(port))); HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
hostinfo, port->user_name),
HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
else else
{
#ifdef USE_SSL
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
/* translator: last %s describes encryption state */
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name, hostinfo, port->user_name,
port->database_name, port->database_name,
port->ssl_in_use ? _("SSL on") : _("SSL off")), encryption_state),
HOSTNAME_LOOKUP_DETAIL(port)));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
hostinfo, port->user_name,
port->database_name),
HOSTNAME_LOOKUP_DETAIL(port))); HOSTNAME_LOOKUP_DETAIL(port)));
#endif
}
break; break;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment