| From: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
|---|---|
| To: | Bart Samwel <bart(at)samwel(dot)tk> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Hostnames in pg_hba.conf |
| Date: | 2010-02-11 22:01:44 |
| Message-ID: | 4B747E48.8070202@mark.mielke.cc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/11/2010 04:54 PM, Bart Samwel wrote:
> On Thu, Feb 11, 2010 at 16:36, Mark Mielke <mark(at)mark(dot)mielke(dot)cc
> <mailto:mark(at)mark(dot)mielke(dot)cc>> wrote:
>
>> ISSUE #3: Multiple hostnames?
>>
>> Currently, a pg_hba entry lists an IP / netmask combination. I
>> would suggest allowing lists of hostnames in the entries, so that
>> you can at least mimic the "match multiple hosts by a single
>> rule". Any reason not to do this?
>
> I'm mixed. In some situations, I've wanted to put multiple
> IP/netmask. I would say that if multiple names are supported, then
> multiple IP/netmask should be supported. But, this does make the
> lines unwieldy beyond two or three. This direction leans towards
> the capability to define "host classes", where the rules allows
> the host class, and the host class can have a list of hostnames.
>
>
> Yes, but before you know it people will ask for being able to specify
> multiple host classes. :-) Quite simply put, with a single subnet you
> can allow multiple hosts in. Allowing only a single hostname is a step
> backward from that, so adding support for multiple hostnames could be
> useful if somebody is replacing subnets with hostname-based configuration.
This implies two aspects which may not be true:
1) All hosts that I want to allow belong to the same subnet.
2) If I trust one host on the subnet, then I trust all hosts on the
subnet.
While the above two points are often true, they are not universally true.
>
> 2) What will you do if they specify a hostname and a netmask? This
> seems like a convenient way of saying "everybody on the same
> subnet as NAME."
>
>
> Not supported. Either an IP address / netmask combo, or a hostname,
> but not both. I wouldn't want to recommend hardcoding something such
> as netmasks (which are definitely subnet dependent) in combination
> with something as volatile as a host name -- move it to a different
> subnet, and you might allow a whole bigger subnet than you intended.
> If they want to specify a netmask, then they should just use hardcoded
> IPs as well.
Ah yes, I recall this from a previous thread. I think I also disagreed
on the other thread. :-)
I thought of a use for reverse lookup - it would allow wild card
hostnames. Still, that's an advanced feature that might be for later... :-)
Cheers,
mark
--
Mark Mielke<mark(at)mielke(dot)cc>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bart Samwel | 2010-02-11 22:02:56 | Re: Hostnames in pg_hba.conf |
| Previous Message | Bart Samwel | 2010-02-11 21:54:42 | Re: Hostnames in pg_hba.conf |