From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net> |
Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Using both ident and password in pg_hba.conf |
Date: | 2016-05-09 22:15:16 |
Message-ID: | 3533.1462832116@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
"D'Arcy J.M. Cain" <darcy(at)druid(dot)net> writes:
> On Mon, 09 May 2016 17:12:22 -0400
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> If the same user id + database combinations might be valid in both
>> cases (from both PHP and manual connections) I think your only other
>> option for distinguishing which auth method to use is to make them
>> come in on different addresses. Can you set up a secondary IP
>> interface that only the PHP server uses, for example?
> I did think of that but how do I define that in pg_hba? The host field
> only specifies the remote IP, not the local one.
Right, but you'd be using it essentially as a loopback interface.
Say you set it up as 192.168.0.42 --- you'd tell PHP to connect to
Postgres on 192.168.0.42, and Postgres would also see the PHP connections
as coming in from 192.168.0.42.
I think on most modern OSes you can set up this sort of thing entirely in
software, not even needing a spare NIC card. I haven't done it that way
though.
> I had an idea that that wouldn't be so easy else we would have had it
> by now. However, I am not sure that that is what is needed. I was
> thinking of something like this:
> host all joe(at)nobody 192.168.151.75/32 password
> host all all 192.168.151.75/32 ident
> The "all(at)nobody" field is meant to specify that the remote user is
> nobody but that they are connecting as user joe.
As John noted, we don't have any idea what the "remote username" is
at the time we're scanning pg_hba.conf.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | rverghese | 2016-05-09 22:22:31 | Inserting into a master table with partitions does not return rows affected. |
Previous Message | John R Pierce | 2016-05-09 21:56:14 | Re: Using both ident and password in pg_hba.conf |