Re: Allow cluster owner to bypass authentication
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Allow cluster owner to bypass authentication |
| Дата | |
| Msg-id | CAA8=A7_frFa7MnH770WD+h0fa1i-MVnkNkRoJsid+zhjfCFFWQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Allow cluster owner to bypass authentication (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-hackers |
> > This has been hanging around for a while. I guess the reason it hasn't > > got much attention is that on its own it's not terribly useful. > > However, when you consider that it's a sensible prelude to setting a > > more secure default for auth in initdb (I'd strongly advocate > > SCRAM-SHA-256 for that) it takes on much more significance. > > I'm all for improving the default for auth in initdb, but why wouldn't > that be peer auth first, followed by SCRAM..? If that's what you're > suggesting then great, but that wasn't very clear from the email text, > at least. What this is suggesting is in effect, for the db owner only and only on a Unix domain socket, peer auth falling back to whatever is in the hba file. That makes setting something like scram-sha-256 as the default more practicable. If we don't do something like this then changing the default could cause far more disruption than our users might like. > I've not done more than glanced at the patch. That might pay dividends :-) cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
В списке pgsql-hackers по дате отправления: