From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Chapman Flack <chap(at)anastigmatix(dot)net>, "Bossart, Nathan" <bossartn(at)amazon(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: allow specifying direct role membership in pg_hba.conf |
Date: | 2021-05-14 19:35:26 |
Message-ID: | 2190058.1621020926@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Chapman Flack (chap(at)anastigmatix(dot)net) wrote:
>> If pg_hba syntax changes are being entertained, I would love to be able
>> to set ssl_min_protocol_version locally in a hostssl rule.
>> Some clients at $work are stuck with ancient SSL libraries, but I would
>> much rather be able to weaken ssl_min_protocol_version just for them
>> than do it globally.
> This (unlike what was actually proposed) does seem like it'd be a useful
> improvement. Not sure exaclty how it would work but I'm generally on
> board with the idea.
Seems like putting GUCs directly into pg_hba would be a mess. Would
it be enough to tell people to use ALTER ROLE/DATABASE SET for this,
and then fix things so that we recheck the protocol version (and
possibly bail out) after absorbing those settings?
I can think of objections to this:
* If you actually want to tie the restriction to source IP addresses,
rather than users or databases, this doesn't get the job done.
* The authentication cycle would be completed (or at least mostly
so) before we bail out; so if the concern is about packet-sniffing
or MITM attacks, maybe this would expose too much.
But it does have the advantage of being something it seems like
we could get done easily.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-05-14 19:39:39 | Re: PG 14 release notes, first draft |
Previous Message | Stephen Frost | 2021-05-14 19:00:01 | Re: allow specifying direct role membership in pg_hba.conf |