From: Magnus Hagander on
On Thu, Jan 7, 2010 at 09:26, Fujii Masao <masao.fujii(a)gmail.com> wrote:

> The same problem also exists in pg_hba.conf. It's because I introduced
> new keyword "replication" in pg_hba.conf to authenticate the standby
> server. This restriction is not acceptable? If so, I'd need to consider
> an authentication configuration for replication again: introduce new
> configuration file? just change the keyword name to "unpopular" one?...

I certainly think there are a lot of installations out there with a
database named "replication". That doesn't mean it's unacceptable
though.

However, wouldn't it make more logical sense to replace "host/hostssl"
with "replication/replicationssl" rather than overload the database
field?


--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Fujii Masao on
On Thu, Jan 7, 2010 at 5:44 PM, Magnus Hagander <magnus(a)hagander.net> wrote:
>> Such information are supplied in the parameter 'primary_conninfo' of
>> recovery.conf. For example;
>>
>>    primary_conninfo = 'host=192.168.1.50 port=5432 user=foo'
>
> So the password can just go there, no?

Yeah, the password can be supplied in primary_conninfo.

primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'

Also you can use the environment variable PGPASSWORD.
Is this enough? I was thinking that some people would
complain that only the password for replication cannot
be supplied in .pgpass.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Fujii Masao on
On Thu, Jan 7, 2010 at 5:46 PM, Magnus Hagander <magnus(a)hagander.net> wrote:
> However, wouldn't it make more logical sense to replace "host/hostssl"
> with "replication/replicationssl" rather than overload the database
> field?

Seems good. How about the following formats?

replication user CIDR-address auth-method [auth-options]
replicationssl user CIDR-address auth-method [auth-options]
replication user IP-address IP-mask auth-method [auth-options]
replicationssl user IP-address IP-mask auth-method [auth-options]

Note that "database" field has been removed since it's useless
for replication.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Heikki Linnakangas on
Tom Lane wrote:
> Fujii Masao <masao.fujii(a)gmail.com> writes:
>> The attached patch supports new keyword 'replication' on .pgpass file.
>> This keyword is used to specify the password for the standby server to
>> connect to the primary server.
>
> This strikes me as a completely bad idea. We need get no farther than
> the point that it assumes nobody can have a database named "replication"
> (although I notice the patch also appears to assume that libpq knows
> internally that the connection is for replication --- I thought we were
> going to avoid libpq changes for SR?)

As the patch stands there's an extra startup packet, similar to
SSLRequest, in the connection handshake. But I think we should get rid
of that too, and just send an extra "replication=on" option along with
username and other options in the startup packet.

(as Fujii pointed out already, you can have a database called
"replication". But you need to quote it in pg_hba.conf, like you need to
quote "all" and "sameuser/group/role".)

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Magnus Hagander on
On Thu, Jan 7, 2010 at 10:21, Fujii Masao <masao.fujii(a)gmail.com> wrote:
> On Thu, Jan 7, 2010 at 5:46 PM, Magnus Hagander <magnus(a)hagander.net> wrote:
>> However, wouldn't it make more logical sense to replace "host/hostssl"
>> with "replication/replicationssl" rather than overload the database
>> field?
>
> Seems good. How about the following formats?
>
>  replication     user  CIDR-address  auth-method  [auth-options]
>  replicationssl  user  CIDR-address  auth-method  [auth-options]
>  replication     user  IP-address  IP-mask  auth-method  [auth-options]
>  replicationssl  user  IP-address  IP-mask  auth-method  [auth-options]
>
> Note that "database" field has been removed since it's useless
> for replication.

Hm, no, I think I withdraw my comment about pg_hba.conf. It seems
better to overload the database name here. I'm not particularly keen
on yet another different set of columns, which is what happens when
you remove the database field.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers