Bug 47276 - Make pg_hba.conf configurable through ucr variable
Make pg_hba.conf configurable through ucr variable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PostgreSQL
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Jannik Ahlers
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-02 13:03 CEST by Jürn Brodersen
Modified: 2018-11-28 12:10 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2018-07-02 13:03:35 CEST
Make pg_hba.conf configurable through ucr variable

At moment it is not possible to add entries to pg_hba.conf file without adding an ucr template.

Something like:
postgres9.6/pg_hba/my_entry_name="hostssl my_database   all         10.0.0.0/8              md5"
Comment 1 Arvid Requate univentionstaff 2018-10-30 15:41:46 CET
As discussed in team meeting, we should make it generic:

postgres9.6/pg_hba/config/1="settingX   abc   def  ghi"
postgres9.6/pg_hba/config/2="settingY   xyz"

This would allow adding of arbitrary ordered lines. We have example code for this in /etc/univention/templates/files/etc/ssh/sshd_config .
Comment 2 Jannik Ahlers univentionstaff 2018-11-13 11:03:23 CET
Successful build
Package: univention-postgresql
Version: 10.0.1-2A~4.3.0.201811131054
Branch: ucs_4.3-0
Scope: errata4.3-2

univention-postgresql.yaml
e486e85118d5 | Bug #47276: yaml

univention-postgresql (10.0.1-2)
c7d4f65b577a | Bug #47276: Add ucr variable postgres9/pg_hba/config/* for additional configuration options in pg_hba.conf file

I implemented the new ucr variable postgres9/pg_hba/config/.* which allows for additional configuration. These variables get inserted in alphabetical order of the variable name.

It's very similar to Arvids example in sshd_config.
Comment 3 Jürn Brodersen univentionstaff 2018-11-26 17:30:51 CET
I added an example to the ucr variable description.

Package: univention-postgresql
Version: 10.0.1-3A~4.3.0.201811261619
Branch: ucs_4.3-0
Scope: errata4.3-2

ucr set postgres9/pg_hba/config/06="host mydb administrator06 192.168.0.0/24 md5" -> OK
ucr set postgres9/pg_hba/config/05="host mydb administrator05 192.168.0.0/24 md5" -> OK
ucr set postgres9/pg_hba/config/07="host mydb administrator07 192.168.0.0/24 md5" -> OK
ucr unset postgres9/pg_hba/config/06 -> OK
YAML -> OK
Comment 4 Philipp Hahn univentionstaff 2018-11-27 08:37:38 CET
(In reply to Jannik Ahlers from comment #2)
> I implemented the new ucr variable postgres9/pg_hba/config/.* which allows
> for additional configuration. These variables get inserted in alphabetical
> order of the variable name.

if this is 'alphabetical', why is the prefix stripping limited to digits?
sort(key=int) != sort(key=str)


While at it maybe have a look at Bug #31081 and move at least the rule for user "postgres" from 99 to 00.

The order of rules is relevant: The current mechanism can only be used to *append* rules "at the end" which have the *lowest* priority as they come after all rules shipped by packages. This may be desired, but should be documented clearly.


The documentation is inconsistent:
+++ b/services/univention-postgresql/debian/univention-postgresql.univention-config-registry-variables
+Description[en]=Specifies additional configuration options for /etc/postgresql/9.6/main/pg_hba.conf. See `https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html` for details.

9.1 vs. 9.6


PS: conffiles/etc/cron.d/postgresql is defunc as those binaries no longer exist and PostgreSQL does automatic vacuum by default <https://www.postgresql.org/docs/9.1/runtime-config-autovacuum.html>
Comment 5 Arvid Requate univentionstaff 2018-11-28 12:10:46 CET
<http://errata.software-univention.de/ucs/4.3/341.html>