| From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
|---|---|
| To: | Josh Berkus <josh(at)agliodbs(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: replication and pg_hba.conf |
| Date: | 2011-01-17 06:44:58 |
| Message-ID: | 4D33E56A.9000900@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 16.01.2011 22:55, Josh Berkus wrote:
>
>> In 9.0, we specifically require using "replication" as database name
>> to start a replication session. In 9.1 we will have the REPLICATION
>> attribute to a role - should we change it so that "all" in database
>> includes replication connections? It certainly goes in the "principle
>> of least surprise" path..
>
> +1. It'll eliminate an entire file to edit for replication setup, so
> does a lot to make initial replication setup easier.
No, we should by secure by default. You usually want to lock down
tightly where replication connections can come from. You know the IP
addresses of your standby servers, so it shouldn't be hard to
If "all" includes replication connections, that makes it harder to
configure pg_hba.conf correctly so that you allow normal connections
from anywhere, but only allow replication connections from a specific IP
address. You'd need two lines, first one to accept replication
connections from the standby, and a second one to reject them from
anywhere else.
But I wonder if we should add lines in the default pg_hba.conf to
"trust" replication connections from loopback, like we do for normal
connections?
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2011-01-17 06:47:58 | Re: replication and pg_hba.conf |
| Previous Message | David E. Wheeler | 2011-01-17 06:42:32 | Re: Fixing GIN for empty/null/full-scan cases |