Should database = all in pg_hba.conf match a replication connection?
in [PgSql]
|
Prev: [HACKERS] Should database = all in pg_hba.conf match a replication connection?
Next: Move tablespace
From: Robert Haas on 20 Apr 2010 19:49 On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > I spent a fair amount of time just now being confused about why > pg_hba.conf restrictions on replication connections didn't seem to be > getting enforced. After looking at the code, I realize that my entry > with database = "replication" was indeed getting rejected as not > matching, but then the hba code was falling through and matching an > entry with database = "all". This is not the behavior I expected > after > looking at the docs; the docs seem to imply that SR connections must > match an explicit replication entry in pg_hba.conf in order to > succeed. > > Should we change this? It seems to me to be a good thing on security > grounds if replication connections can't be made through a generic > pg_hba entry. +1. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Fujii Masao on 20 Apr 2010 21:52 On Wed, Apr 21, 2010 at 8:49 AM, Robert Haas <robertmhaas(a)gmail.com> wrote: > On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: >> I spent a fair amount of time just now being confused about why >> pg_hba.conf restrictions on replication connections didn't seem to be >> getting enforced. After looking at the code, I realize that my entry >> with database = "replication" was indeed getting rejected as not >> matching, but then the hba code was falling through and matching an >> entry with database = "all". This is not the behavior I expected >> after >> looking at the docs; the docs seem to imply that SR connections must >> match an explicit replication entry in pg_hba.conf in order to >> succeed. >> >> Should we change this? It seems to me to be a good thing on security >> grounds if replication connections can't be made through a generic >> pg_hba entry. > > +1. +1 too. Regards, -- Fujii Masao NIPPON TELEGRAPH AND TELEPHONE CORPORATION NTT Open Source Software Center -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 20 Apr 2010 23:33
Fujii Masao <masao.fujii(a)gmail.com> writes: > On Wed, Apr 21, 2010 at 8:49 AM, Robert Haas <robertmhaas(a)gmail.com> wrote: >> On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: >>> Should we change this? �It seems to me to be a good thing on security >>> grounds if replication connections can't be made through a generic >>> pg_hba entry. >> >> +1. > +1 too. Done. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |