On Fri, 20 Dec 2019 at 15:45, Devrim Gündüz <devrim@gunduz.org> wrote:
Hi,
On Thu, 2019-12-19 at 12:58 +0800, Craig Ringer wrote:
> It's not clear why the initdb wrapper for the rpm packages defaults to > generating 'host' entries with 'ident' auth,
Historical reasons, like at least 15 years or more.
Time to revisit it then.
The current default is already broken. It is more broken than, and less useful than, defaulting to 'md5' for 'host' since at least then users could make it work by setting a password.
ident requires entirely new and different daemons to be installed, configured and enabled.
> but I think it's pretty unhelpful. At least if we used 'md5' the user could > set passwords and have them actually work.
IMHO the only alternative could be "trust", because I am not holding my breath for the majority of our users to be able to setup a password that easily (yeah). I'm also not inclined to setup a default password for RPM installations (and also RPMs must not do any interactive work, like asking for a password)
The deb use md5 for 'host' and 'peer' for 'local'. While I think they do support interactive password setting it's extremely common to run debconf noninteractively, then set an initial password using psql with the peer auth conn over a unix socket.
That's the approach I suggest for the rpms too. A stanza to the setup shell script can even be added to give a hint for next steps:
echo PostgreSQL instance created at /var/lib/pgsql/12/data and set to listen on port $NEWPGPORT.
echo
echo Start it with systemctl start postgresql-12 .
if [ $local_authmode == 'peer' ]; then
echo Connect with 'sudo -u postgres psql -p $NEWPGPORT' to create users, set passwords and create databases.