Re: pg_hba.conf: samehost and samenet [REVIEW]
От | Robert Haas |
---|---|
Тема | Re: pg_hba.conf: samehost and samenet [REVIEW] |
Дата | |
Msg-id | 603c8f070909231412m374632feuc8281c8bc3d3ff64@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: pg_hba.conf: samehost and samenet [REVIEW] (Stef Walter <stef-list@memberwebs.com>) |
Ответы |
Re: pg_hba.conf: samehost and samenet [REVIEW]
(Mark Mielke <mark@mark.mielke.cc>)
|
Список | pgsql-hackers |
On Wed, Sep 23, 2009 at 3:53 PM, Stef Walter <stef-list@memberwebs.com> wrote: > Robert Haas wrote: >> On Wed, Sep 23, 2009 at 12:41 PM, Stef Walter <stef-list@memberwebs.com> wrote: >>> Currently people are adding 0.0.0.0 to a default pg_hba.conf file in >>> order to allow access from nearby machines, without running into the >>> maintenance problems of hard coding IP addresses. However using 0.0.0.0 >>> is clearly suboptimal from a security perspective. >> >> If people aren't willing to take the time (5 minutes?) to create an >> hba.conf file that implements a reasonable security policy, I'm not >> sure anything we can do - and certainly not this - is going to help >> very much. I haven't really looked at this patch, but how confident >> are we that this is actually portable? It would be a shame to spend a >> lot of time and energy troubleshooting portability problems with a >> feature that - IMO - has a fairly marginal use case to begin with. > > Obviously this isn't the an authentication method. If you're using > 'trust' authentication with anything but unix sockets you're pretty > screwed anyway. This is used in conjuction with an authentication method. > > The core problem is with renumbering. Due to IPv4 addresses becoming > more and more scarce, ISPs are regularly foisting renumbering on their > customers. For example, it's in all the new contracts. > > Often renumbering takes place on networks where the original developers > are long gone. > > Postgresql has always been very fragile when renumbering due to hard > coded IP addresses in the pg_hba.conf file. This patch solves that > problem for most of the cases, where hosts nearby on the network can > talk to postgresql hosts without putting fragile rules into pg_hba.conf. > > Allowing host names in pg_hba.conf would also solve this problem, > although the last person who tried to implement this it was a topic of > contention. I asked if I should focus on reverse DNS host names in > pg_hba.conf or portability for this samenet patch, and it was indicated > that I should do the latter. > > If there is clear direction within the community to work on DNS based > stuff in pg_hba.conf I'd be willing to contribute effort there. Personally, I can't imagine using any of these for anything that I cared very much about. IP renumberings are a pain, but I'd rather take a little extra time to make sure it gets done right. I have other things that would need to be fixed too, besides PostgreSQL: for example, IP tables rules. That having been said, I don't think it's my place to harangue someone else about their feature because it doesn't fit my use case. But if it's going to make PostgreSQL not compile/not work the same way on platforms that we otherwise support, then I think it's a bad idea. Otherwise I have no objection. ...Robert
В списке pgsql-hackers по дате отправления: