Univention Bugzilla – Bug 47276
Make pg_hba.conf configurable through ucr variable
Last modified: 2018-11-28 12:10:46 CET
Make pg_hba.conf configurable through ucr variable At moment it is not possible to add entries to pg_hba.conf file without adding an ucr template. Something like: postgres9.6/pg_hba/my_entry_name="hostssl my_database all 10.0.0.0/8 md5"
As discussed in team meeting, we should make it generic: postgres9.6/pg_hba/config/1="settingX abc def ghi" postgres9.6/pg_hba/config/2="settingY xyz" This would allow adding of arbitrary ordered lines. We have example code for this in /etc/univention/templates/files/etc/ssh/sshd_config .
Successful build Package: univention-postgresql Version: 10.0.1-2A~4.3.0.201811131054 Branch: ucs_4.3-0 Scope: errata4.3-2 univention-postgresql.yaml e486e85118d5 | Bug #47276: yaml univention-postgresql (10.0.1-2) c7d4f65b577a | Bug #47276: Add ucr variable postgres9/pg_hba/config/* for additional configuration options in pg_hba.conf file I implemented the new ucr variable postgres9/pg_hba/config/.* which allows for additional configuration. These variables get inserted in alphabetical order of the variable name. It's very similar to Arvids example in sshd_config.
I added an example to the ucr variable description. Package: univention-postgresql Version: 10.0.1-3A~4.3.0.201811261619 Branch: ucs_4.3-0 Scope: errata4.3-2 ucr set postgres9/pg_hba/config/06="host mydb administrator06 192.168.0.0/24 md5" -> OK ucr set postgres9/pg_hba/config/05="host mydb administrator05 192.168.0.0/24 md5" -> OK ucr set postgres9/pg_hba/config/07="host mydb administrator07 192.168.0.0/24 md5" -> OK ucr unset postgres9/pg_hba/config/06 -> OK YAML -> OK
(In reply to Jannik Ahlers from comment #2) > I implemented the new ucr variable postgres9/pg_hba/config/.* which allows > for additional configuration. These variables get inserted in alphabetical > order of the variable name. if this is 'alphabetical', why is the prefix stripping limited to digits? sort(key=int) != sort(key=str) While at it maybe have a look at Bug #31081 and move at least the rule for user "postgres" from 99 to 00. The order of rules is relevant: The current mechanism can only be used to *append* rules "at the end" which have the *lowest* priority as they come after all rules shipped by packages. This may be desired, but should be documented clearly. The documentation is inconsistent: +++ b/services/univention-postgresql/debian/univention-postgresql.univention-config-registry-variables +Description[en]=Specifies additional configuration options for /etc/postgresql/9.6/main/pg_hba.conf. See `https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html` for details. 9.1 vs. 9.6 PS: conffiles/etc/cron.d/postgresql is defunc as those binaries no longer exist and PostgreSQL does automatic vacuum by default <https://www.postgresql.org/docs/9.1/runtime-config-autovacuum.html>
<http://errata.software-univention.de/ucs/4.3/341.html>