| From: | Fujii Masao <masao(dot)fujii(at)gmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-hackers(at)postgreSQL(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Should database = all in pg_hba.conf match a replication connection? |
| Date: | 2010-04-21 01:52:51 |
| Message-ID: | o2r3f0b79eb1004201852l69b2bfb5t3df8d961600ba1da@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Apr 21, 2010 at 8:49 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> I spent a fair amount of time just now being confused about why
>> pg_hba.conf restrictions on replication connections didn't seem to be
>> getting enforced. After looking at the code, I realize that my entry
>> with database = "replication" was indeed getting rejected as not
>> matching, but then the hba code was falling through and matching an
>> entry with database = "all". This is not the behavior I expected
>> after
>> looking at the docs; the docs seem to imply that SR connections must
>> match an explicit replication entry in pg_hba.conf in order to
>> succeed.
>>
>> Should we change this? It seems to me to be a good thing on security
>> grounds if replication connections can't be made through a generic
>> pg_hba entry.
>
> +1.
+1 too.
Regards,
--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Kirkwood | 2010-04-21 03:09:43 | Re: testing HS/SR - 1 vs 2 performance |
| Previous Message | Takahiro Itagaki | 2010-04-21 01:50:26 | Re: [GENERAL] trouble with to_char('L') |