From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Robert Treat <xzilla(at)users(dot)sourceforge(dot)net> |
Cc: | Neil Conway <neilc(at)samurai(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, "Arcadius A(dot)" <ahouans(at)sh(dot)cvut(dot)cz>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
Subject: | Re: MySQL interview, no mention of PostgreSQL |
Date: | 2003-10-17 17:59:10 |
Message-ID: | 200310171759.h9HHxAN15533@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy |
Robert Treat wrote:
> On Fri, 2003-10-17 at 07:23, Bruce Momjian wrote:
> > Neil Conway wrote:
> > > On Thu, 2003-10-16 at 12:54, Josh Berkus wrote:
> > > > While one could write a utility in Postgres to create/process the file, the
> > > > "live" version of pg_hba.conf *must* be outside the database. If our ACL
> > > > was in the database, then how would we know who has the rights to read the
> > > > ACL?
> > >
> > > I don't see why this is a show-stopping problem. Can you elaborate?
> >
> > We don't want to fire up a backend until we know this is a valid user.
> > You could easily bring a server to a standstill by just sending false
> > connection requests. Sure, you can still do that by flooding the
> > machine, but a database lookup is significantly more expensive than
> > checking a connection packet.
>
> <devils advocate>
> why not hav a guc available in postgresql.conf that switches
> authentication from a pg_hba.conf file to a pg_hba table inside the
> database? this would allow people to choose a database based
> authentication scheme if their willing to shoulder the "risks" involved,
> and would prevent database lockout since you could always flip the guc
> and restart the database to authenticate against the file to allow
> admins back into the system
> </devils advocate>
I guess we could do it, but more easily we could dump a table to the
output file pg_hba.conf just like we do for pg_pwd and pg_group now.
It could be a global table like pg_shadow and pg_group. Of course, you
have the problem of getting the database started to modify the table.
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Neil Conway | 2003-10-17 18:47:43 | Re: MySQL interview, no mention of PostgreSQL |
Previous Message | Adrian Maier | 2003-10-17 15:26:55 | Romanian Press Release |