Re: Use "samehost" by default in pg_hba.conf?

Поиск
Список
Период
Сортировка
От Stephen Frost
Тема Re: Use "samehost" by default in pg_hba.conf?
Дата
Msg-id 20091001023410.GA17756@tamriel.snowman.net
обсуждение исходный текст
Ответ на Use "samehost" by default in pg_hba.conf?  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Use "samehost" by default in pg_hba.conf?  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-hackers
Дерево обсуждения 
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Now that the samehost/samenet patch is in, I wonder if it wouldn't be
> a good idea to replace this part of the default pg_hba.conf file:
>
> # IPv4 local connections:
> host    all         all         127.0.0.1/32          @authmethod@
> # IPv6 local connections:
> host    all         all         ::1/128               @authmethod@
>
> with:
>
> # local connections via TCP/IP:
> host    all         all         samehost              @authmethod@
>
> The advantage of this is that connections made with "-h machine_name"
> instead of "-h localhost" would work without customization.  I can't
> see any disadvantage to it.  Making the change now would also give
> us an opportunity to test the samehost/samenet implementation in the
> buildfarm, at least for machines without Unix sockets.

I'm not sure if it out-ranks the advantages of the change for buildfarm
support, but the above change isn't actually without any disadvantage.
Specifically, not every auth mechanism that works with -h machine_name
works with -h localhost, but the first record in pg_hba which is matched
is used.  I could have:

host    all         all         127.0.0.1/32          @authmethod@
host    all         all         A.B.C.D/32            @authmethod2@

today and a change to:

host    all         all         samehost              @authmethod@
host    all         all         A.B.C.D/32            @authmethod2@

could override my authmethod2 and cause connections to fail, since it
isn't intended to be used.  Additionally, a user could be confused if
they're familiar with 127.0.0.1/32 and not figure out why a change to
samehost is causing problems.

> (Note that you would still need a non-default setting of
> listen_addresses for "-h machine_name" to actually work.)

In any case, this is about the default pg_hba.conf and what I'm talking
about is KRB5/GSSAPI related (127.0.0.1 may not work if it resolves to
'localhost' because KRB5/GSSAPI auth is based off getting the hostname
of the machine being connected to from the reverse DNS of the IP being
connected to).  As such, it's entirely possible that it's completely
irrelevant, but I wanted to bring up that 127.0.0.1->samehost could
cause issues for some folks in some configurations.
Thanks,
    Stephen

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Fujii Masao
Дата:
Сообщение: Re: Streaming Replication patch for CommitFest 2009-09
Следующее
От: Robert Haas
Дата:
Сообщение: Re: Use "samehost" by default in pg_hba.conf?