On Thu, May 7, 2015 at 4:57 PM, Stephen Frost <sfrost@snowman.net> wrote:
> * Robert Haas (robertmhaas@gmail.com) wrote:
>> On Thu, May 7, 2015 at 11:02 AM, Stephen Frost <sfrost@snowman.net> wrote:
>> > I realize it's not going to be popular, but I'd love to have 'trust'
>> > only allowed if a command-line option is passed to the postmaster or
>> > something along those lines. It's really got no business being an
>> > option for a network service like PG.
>>
>> I disagree wholeheartedly. There is such a thing as a trusted network.
>
> Likely a good topic of conversation to be had in Ottawa. :) I agree
> that there are trusted networks, but the ones that I work with still
> expect network services to require authentication and authorization.
> Perhaps they're not really "trusted" then, from your perspective. On
> the other hand, I suppose if you use pg_hba to limit which accounts can
> be logged into with 'trust' then you might be able to have, say, a
> "read-only" user/database that anyone could see. That's a pretty narrow
> case though and I'd rather we figure out how to address it directly and
> more specifically (no-password login roles?) than the broad
> disable-all-authentication "trust" method.
Let's suppose that you have an application server and a DB server
running on the same node. That turns out to be too much load, so you
move the application server to a separate machine and connect the two
machines with a crossover cable, or a VLAN that has nothing else on
it. To me, it's quite sane to want connections on that network to
proceed without authentication or authorization. If you've got to
open up the database more than that then, yes, you need authentication
and authorization.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company