Bug 47276

Summary:	Make pg_hba.conf configurable through ucr variable
Product:	UCS	Reporter:	Jürn Brodersen <brodersen>
Component:	PostgreSQL	Assignee:	Jannik Ahlers <ahlers>
Status:	CLOSED FIXED	QA Contact:	Jürn Brodersen <brodersen>
Severity:	normal
Priority:	P5	CC:	hahn, requate
Version:	UCS 4.3
Target Milestone:	UCS 4.3-2-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=47365 https://forge.univention.org/bugzilla/show_bug.cgi?id=31081
What kind of report is it?:	Feature Request	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:

Description Jürn Brodersen

2018-07-02 13:03:35 CEST

Make pg_hba.conf configurable through ucr variable

At moment it is not possible to add entries to pg_hba.conf file without adding an ucr template.

Something like:
postgres9.6/pg_hba/my_entry_name="hostssl my_database   all         10.0.0.0/8              md5"

Comment 1 Arvid Requate

2018-10-30 15:41:46 CET

As discussed in team meeting, we should make it generic:

postgres9.6/pg_hba/config/1="settingX   abc   def  ghi"
postgres9.6/pg_hba/config/2="settingY   xyz"

This would allow adding of arbitrary ordered lines. We have example code for this in /etc/univention/templates/files/etc/ssh/sshd_config .

Comment 2 Jannik Ahlers

2018-11-13 11:03:23 CET

Successful build
Package: univention-postgresql
Version: 10.0.1-2A~4.3.0.201811131054
Branch: ucs_4.3-0
Scope: errata4.3-2

univention-postgresql.yaml
e486e85118d5 | Bug #47276: yaml

univention-postgresql (10.0.1-2)
c7d4f65b577a | Bug #47276: Add ucr variable postgres9/pg_hba/config/* for additional configuration options in pg_hba.conf file

I implemented the new ucr variable postgres9/pg_hba/config/.* which allows for additional configuration. These variables get inserted in alphabetical order of the variable name.

It's very similar to Arvids example in sshd_config.

Comment 3 Jürn Brodersen

2018-11-26 17:30:51 CET

I added an example to the ucr variable description.

Package: univention-postgresql
Version: 10.0.1-3A~4.3.0.201811261619
Branch: ucs_4.3-0
Scope: errata4.3-2

ucr set postgres9/pg_hba/config/06="host mydb administrator06 192.168.0.0/24 md5" -> OK
ucr set postgres9/pg_hba/config/05="host mydb administrator05 192.168.0.0/24 md5" -> OK
ucr set postgres9/pg_hba/config/07="host mydb administrator07 192.168.0.0/24 md5" -> OK
ucr unset postgres9/pg_hba/config/06 -> OK
YAML -> OK

Comment 4 Philipp Hahn

2018-11-27 08:37:38 CET

(In reply to Jannik Ahlers from comment #2)
> I implemented the new ucr variable postgres9/pg_hba/config/.* which allows
> for additional configuration. These variables get inserted in alphabetical
> order of the variable name.

if this is 'alphabetical', why is the prefix stripping limited to digits?
sort(key=int) != sort(key=str)


While at it maybe have a look at Bug #31081 and move at least the rule for user "postgres" from 99 to 00.

The order of rules is relevant: The current mechanism can only be used to *append* rules "at the end" which have the *lowest* priority as they come after all rules shipped by packages. This may be desired, but should be documented clearly.


The documentation is inconsistent:
+++ b/services/univention-postgresql/debian/univention-postgresql.univention-config-registry-variables
+Description[en]=Specifies additional configuration options for /etc/postgresql/9.6/main/pg_hba.conf. See `https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html` for details.

9.1 vs. 9.6


PS: conffiles/etc/cron.d/postgresql is defunc as those binaries no longer exist and PostgreSQL does automatic vacuum by default <https://www.postgresql.org/docs/9.1/runtime-config-autovacuum.html>

Comment 5 Arvid Requate

2018-11-28 12:10:46 CET

<http://errata.software-univention.de/ucs/4.3/341.html>