| From: | Bart Samwel <bart(at)samwel(dot)tk> |
|---|---|
| To: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Hostnames in pg_hba.conf |
| Date: | 2010-02-12 08:04:59 |
| Message-ID: | ded01eb21002120004g5622bdedo28364c9b29e0ec7a@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Feb 12, 2010 at 02:31, Mark Mielke <mark(at)mark(dot)mielke(dot)cc> wrote:
> But once there, it seems clear that packing hostnames or netmasks onto one
> line is just ugly and hard to manage. I'd like to see this extended to any
> of the many ways to allow hostnames to be specified one per line. For
> example:
>
> set tool_servers {
> 127.0.0.1/32
> ::1/128
> 1.2.3.4/32
> 1.2.3.5/32
> }
>
> host DATABASE USER $tool_servers md5
>
> The above features easy parsing capability.
>
> Of course, then I'll ask for the ability to simplify specifying multiple
> databases:
>
> set databases {
> db1
> db2
> }
>
> set users {
> user1
> user2
> }
>
> host $databases $users $tool_servers md5
>
> Sorry... :-)
>
Definitely sounds useful! But I do now see that this is entirely orthogonal
to what I was trying to do -- which means I don't have to do anything about
it. :-)
> I think wildcards are interesting, but I have yet to see an actual use
> case other than "it's cool and very generalized". In my mind (tell me if I'm
> wrong), the most common type of PostgreSQL authentication setup is within a
> local network within an organization. There, you either authorize an entire
> subnet ("the entire server park" or "all client PCs") or you authorize
> specific hosts (single IP address). The wildcard case is for replacing the
> first case, but for that case, subnets are usually just fine. I'm trying to
> target the second case here.
>
>
> The user case would be an organization with nodes all over the IP space,
> that wants to manage configuration from a single place. DNS would be that
> single place of choice. If moves trust from "trust the netmasks to be kept
> up-to-date" to "trust that DNS will be kept up-to-date". Since DNS has
> important reasons to be up-to-date, it's a pretty safe bet that DNS is equal
> or more up-to-date than pg_hba.conf hard coded netmasks. It makes sense, but
> it can be a later use case. It doesn't have to be in version 1.
>
DNS is preferred to subnets in that regard, definitely. But again, that
points to the per-hostname route, and it's not a use case for the wildcard
route (unless people explicitly choose to organize their DNS hierarchy so
that they can use it for PostgreSQL authorization -- doubtful.)
Cheers,
Bart
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dimitri Fontaine | 2010-02-12 08:19:32 | Re: review: More frame options in window functions |
| Previous Message | Heikki Linnakangas | 2010-02-12 07:59:07 | Re: Parameter name standby_mode |