search

docker-library / postgres

Docker Official Image packaging for Postgres
http://www.postgresql.org
MIT License
2.14k stars 1.11k forks source link

Can not configure custom authorization at pg_hba.conf because of more global rule #1132

Open EugenKon opened 10 months ago

EugenKon commented 10 months ago

docker-entrypoint.sh sets up host all all all scram-sha-256 into pg_hba.conf file. https://github.com/docker-library/postgres/blob/8a631b939a0b4197cb6bef49b50b6c40c80ddf5b/15/bookworm/docker-entrypoint.sh#L252

For my database located in trusted network I wan to configure trusted authentication, but can not, because first list matched first:

...
host all all all scram-sha-256
host db user 172.16.0.0/12 trust

My /docker-entrypoint-initdb.d/000-trust.sh script is:

echo "host db user 172.16.0.0/12 trust" >> "${PGDATA}/pg_hba.conf"

It would be nice if this catch-all rule you will add later after processing init files https://github.com/docker-library/postgres/blob/8a631b939a0b4197cb6bef49b50b6c40c80ddf5b/15/bookworm/docker-entrypoint.sh#L331

tianon commented 7 months ago

I'm not sure what changes we can safely make to that ordering, but you should be able to handle this in your initdb script via sed, something like:

sed -i -e '/^host all all all/d' "$PGDATA/pg_hba.conf"
EugenKon commented 7 months ago

It would be nice to disable that functionality so user can manage it manually, eg. CUSTOM_PG_HBA=true.