On Wed, 2010-03-24 at 19:49 +0900, Fujii Masao wrote:
> On Wed, Mar 24, 2010 at 7:29 PM, Simon Riggs <simon@2ndquadrant.com> wrote:
> > So we are allowing a database to be called "REPLICATION"?
>
> Yes.
>
> > Surely there
> > are some significant problems in that case. How will access control to
> > that database work in the pg_hba.conf?
>
> We can do that by enclosing the database field of pg_hba.conf in double
> quotes as follows.
>
> TYPE DATABASE USER CIDR-ADDRESS METHOD
> host "replication" foo 192.168.0.5 md5
>
> In pg_hba.conf, double-quoted keyword like "all", "sameuser", "samerole"
> or "replication" matches a database with that name.
So we might have a pg_hba.conf that looks like this
TYPE DATABASE USER CIDR-ADDRESS METHOD
host "replication" foo 192.168.0.5 md5
host replication foo 192.168.0.5 md5
Which looks pretty strange.
I think we should change that, though if not we should at least document
it.
That probably tips the balance towards having the alternate wording:
LOG: replication connection authorized: user=foo
It also highlights another problem: it's possible to have database names
that contain spaces. There are no double quotes around most of the
things that get logged. So if we do
CREATE DATABASE "oh my god";
will cause things like this to be logged without quotes
LOG: connection authorized: user=foo database=oh my god
-- Simon Riggs www.2ndQuadrant.com
