Re: On "multi-master"

Andrew Sullivan wrote:

>On Fri, Oct 14, 2005 at 10:20:41AM -0500, Scott Marlowe wrote:
>
>
>>USers accessing machines behind the scenes is a VERY bad idea.  It's not
>>a pgpool bug, is a user bug.  :)
>>
>>
>
>The problem with this glib answer is that we are talking about
>systems where such a "user bug" can cost people millions of dollars.
>They want the _machine_ to prevent the user bug.  That's what they
>think they're buying, and my understanding is that some of the other
>systems provide greater protection.
>
>
Out of curiosity, what is wrong with requiring client SSL certs to
access the system and only issuing them to the PGPool system (or using a
different CA if you need to issue client certs to the end users)?  This
doesn't eliminate the problem, but it does mean that you have to take
the gun out of its sheath, take the safety off, and carefully aim it at
your foot before you can get bit by this user bug....  In other words,
it should eliminate inadvertant circumvention of the protections in
place (though deliberate circumvention is always an issue when both
sides are open source and the DBA has access to all systems-- after all,
the DBA could rewrite the pg_hba to allow connecting from another host,
and then issue the change, but then this isn't really the same
objection, is it).

Best Wishes,
Chris Travers
Metatron Technology Consulting