On Thu, Jan 5, 2017 at 11:56 AM, Stephen Frost <sfrost@snowman.net> wrote:
> Greetings,
>
> If we keep it to superusers then we aren't changing anything, from my
> point of view at least. That does bring up the question of if it'd be
> useful for a non-superuser to be able to control. I'm on the fence
> about that at the moment. Generally speaking, it's useful for
> non-superusers to be able to control access, but pg_hba is a bit special
> as it also controls the auth method and I'm not sure that is really
> something it makes sense for a non-superuser to hack around.
>
> However, the other bits that pg_hba allows (controlling access based on
> if it's an SSL connection, or based on the source IP) would be nice to
> provide alongside the 'CONNECT' GRANT privilege instead of only being
> able to do in pg_hba.
>
> In short, I'd rather we look at ways to minimize the need for users to
> interact with pg_hba.conf than make it easier to do.
That's an interesting point.
>> One thing I'm kind of happy about is that, as far as I can see, there
>> hasn't been much backlash against the existing ALTER SYSTEM, either
>> from a security point of view or a user-confusion point of view.
>
> I've seen complaints about it and have seen people changing the
> permissions to be root/root on the .auto.conf file to disallow 'regular'
> superusers from doing ALTER SYSTEM. It's not exactly elegant but it's a
> way to avoid the risk of someone messing with the system config without
> going through the CM system.
Hmm, OK. They're not bothered by ALTER DATABASE the_one_everybody_uses?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company