RE: Let people set host(no)ssl settings from initdb

Поиск
Список
Период
Сортировка
От tsunakawa.takay@fujitsu.com
Тема RE: Let people set host(no)ssl settings from initdb
Дата
Msg-id OSAPR01MB50734B39A76E65BCD09E5B73FE3E0@OSAPR01MB5073.jpnprd01.prod.outlook.com
обсуждение исходный текст
Ответ на Re: Let people set host(no)ssl settings from initdb  (David Fetter <david@fetter.org>)
Ответы Re: Let people set host(no)ssl settings from initdb
Список pgsql-hackers
Дерево обсуждения 
From: David Fetter <david@fetter.org>
> > But I see two problems with the proposed approach: (1) initdb
> > doesn't support setting up SSL, so the only thing you can achieve
> > here is to reject all TCP/IP connections, until you have set up SSL.
>
> I don't believe any special setup is needed to require TLS for the
> connection, which is what this patch handles in a straightforward way.

I think this feature can be useful because it's common to reject remote non-TLS connections.  Eliminating the need to
scriptfor pg_hba.conf is welcome.  Setting GUC parameters just after initdb is relatively easy, because we can simply
addlines at the end of postgresql.conf.  But pg_hba.conf is not because the first matching entry is effective. 

In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?


> > (2) The default pg_hba.conf only covers localhost connections.
>
> As of this patch, it can be asked to cover all connections.

+      <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
+      <listitem>
+       <para>
+        This option specifies the authentication method for users via
fg
+        TLS connections used in <filename>pg_hba.conf</filename>
+        (<literal>hostssl</literal> lines).
+       </para>
    +      </listitem>

The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing.  The former
isfor local connections, and the latter is for remote ones.  Can we just add "remote" in the above documentation? 

Plus, you're adding the first option to initdb that handles remote connections.  As the following execution shows, it
doesn'twarn about using "trust" for remote connections. 


$ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
...
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctl -D /tuna/pg2 -l logfile start



I think we should emit a warning message like the following existing one:

--------------------------------------------------
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
-
initdb: warning: enabling "trust" authentication


Regards
Takayuki Tsunakawa

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Michael Paquier
Дата:
Сообщение: Re: [PATCH] Increase the maximum value track_activity_query_size
Следующее
От: Amit Kapila
Дата:
Сообщение: Re: pgsql: Add basic TAP tests for psql's tab-completion logic.