Re: [HACKERS] pg_hba.conf and IP-MASK - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [HACKERS] pg_hba.conf and IP-MASK
Date
Msg-id 200408261658.i7QGwF525048@candle.pha.pa.us
Whole thread Raw
List pgsql-patches
OK, doc patch attached and applied that prefers CIDR format for pg_hba.conf.

---------------------------------------------------------------------------

Andrew Dunstan wrote:
> Tom Lane said:
> > "Andrew Dunstan" <andrew@dunslane.net> writes:
> >> Since our defaults don't use old-style masks any more, I would be
> >> tempted to remove the column labels for IP-ADDRESS and IP-MASK, and
> >> instead put in a single heading of IP-ADDRESS/CIDR-MASK.
> >
> > I don't know why there is any debate about this.  When I said "fix the
> > comments to agree with the code", the column headings were certainly
> > one of the things I had in mind.  You should have done that in the
> > original patch.
> >
>
> Then I apologise. As I think I indicated, my time is very limited right now.
> So rather than submit things that are incomplete I will be refraining from
> pretty much any pg work for a while - I already did a lot more that I
> originally set as my goals for this release.
>
> cheers
>
> andrew
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
>       subscribe-nomail command to majordomo@postgresql.org so that your
>       message can get through to the mailing list cleanly
>

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.65
diff -c -c -r1.65 client-auth.sgml
*** doc/src/sgml/client-auth.sgml    23 Mar 2004 01:23:48 -0000    1.65
--- doc/src/sgml/client-auth.sgml    26 Aug 2004 16:11:06 -0000
***************
*** 86,97 ****
     A record may have one of the seven formats
  <synopsis>
  local      <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  host       <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
- host       <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
- hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
- hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  </synopsis>
     The meaning of the fields is as follows:

--- 86,97 ----
     A record may have one of the seven formats
  <synopsis>
  local      <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
+ host       <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
+ hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
+ hostnossl  <replaceable>database</replaceable>    <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
  host       <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> 
  </synopsis>
     The meaning of the fields is as follows:

***************
*** 196,214 ****
      </varlistentry>

      <varlistentry>
!      <term><replaceable>IP-address</replaceable></term>
!      <term><replaceable>IP-mask</replaceable></term>
       <listitem>
        <para>
!        These two fields contain IP address and mask values in standard
!        dotted decimal notation. (IP addresses can only be specified
!        numerically, not as domain or host names.)  Taken together they
!        specify the client machine IP addresses that this record
!        matches.  The precise logic is that
! <programlisting>
! (<replaceable>actual-IP-address</replaceable> xor <replaceable>IP-address-field</replaceable>) and
<replaceable>IP-mask-field</replaceable>
! </programlisting>
!        must be zero for the record to match.
        </para>

        <para>
--- 196,218 ----
      </varlistentry>

      <varlistentry>
!      <term><replaceable>CIDR-address</replaceable></term>
       <listitem>
        <para>
!        specifies the client machine IP addresses that this record
!        matches. It contains an IP address in standard dotted decimal
!        notation and a CIDR mask length. (IP addresses can only be
!        specified numerically, not as domain or host names.) For example,
!        an IPv4 CIDR mask of 8 is equivalent to an IP mask of 255.0.0.0,
!        an IPv6 CIDR mask of 64 is equivalent to an IP mask of
!        ffff:ffff:ffff:ffff::. A IPv4 CIDR mask of 32 is used for single
!        hosts.
!       </para>
!
!       <para>
!        A typical CIDR address is <literal>172.20.143.89/32</literal>.
!        There should be no white space between the IP address, the
!        <literal>/</literal>, and the CIDR mask length.
        </para>

        <para>
***************
*** 229,254 ****
      </varlistentry>

      <varlistentry>
       <term><replaceable>IP-masklen</replaceable></term>
       <listitem>
        <para>
!        This field may be used as an alternative to the
!        <replaceable>IP-mask</replaceable> notation.  It is an integer
!        specifying the number of high-order bits to set in the mask.
!        The number must be between 0 and 32 (in the case of an IPv4
!        address) or 128 (in the case of an IPv6 address) inclusive. 0
!        will match any address, while 32 (or 128, respectively) will
!        match only the exact host specified.  The same matching logic
!        is used as for a dotted notation
!        <replaceable>IP-mask</replaceable>.
!       </para>
!
!       <para>
!        There must be no white space between the
!        <replaceable>IP-address</replaceable> and the
!        <literal>/</literal> or the <literal>/</literal> and the
!        <replaceable>IP-masklen</replaceable>, or the file will not be
!        parsed correctly.
        </para>

        <para>
--- 233,249 ----
      </varlistentry>

      <varlistentry>
+      <term><replaceable>IP-address</replaceable></term>
       <term><replaceable>IP-masklen</replaceable></term>
       <listitem>
        <para>
!        This may be used as an alternative to the
!        <replaceable>CIDR-address</replaceable> notation. Instead of
!        specifying the mask length, the actual mask is specified in a
!        separate column. For example, 255.0.0.0 represents a IPv4 CIDR
!        mask length of 8, and 255.255.255.255 represents a CIDR mask
!        length of 32. The same matching logic is used as for a dotted
!        notation <replaceable>IP-mask</replaceable>.
        </para>

        <para>
***************
*** 458,493 ****
  # any user name using Unix-domain sockets (the default for local
  # connections).
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! local   all         all                                             trust

  # The same using local loopback TCP/IP connections.
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! host    all         all         127.0.0.1         255.255.255.255   trust

! # The same as the last line but using a CIDR mask
  #
! # TYPE  DATABASE    USER        IP-ADDRESS/CIDR-mask  METHOD
! host    all         all         127.0.0.1/32          trust

  # Allow any user from any host with IP address 192.168.93.x to connect
  # to database "template1" as the same user name that ident reports for
  # the connection (typically the Unix user name).
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! host    template1   all         192.168.93.0      255.255.255.0     ident sameuser

! # The same as the last line but using a CIDR mask
  #
! # TYPE  DATABASE    USER        IP-ADDRESS/CIDR-mask  METHOD
! host    template1   all         192.168.93.0/24       ident sameuser

  # Allow a user from host 192.168.12.10 to connect to database
  # "template1" if the user's password is correctly supplied.
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! host    template1   all         192.168.12.10     255.255.255.255   md5

  # In the absence of preceding "host" lines, these two lines will
  # reject all connection from 192.168.54.1 (since that entry will be
--- 453,488 ----
  # any user name using Unix-domain sockets (the default for local
  # connections).
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! local   all         all                               trust

  # The same using local loopback TCP/IP connections.
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    all         all         127.0.0.1/32          trust

! # The same as the last line but using a separate netmask column
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    all         all         127.0.0.1     255.255.255.255     trust

  # Allow any user from any host with IP address 192.168.93.x to connect
  # to database "template1" as the same user name that ident reports for
  # the connection (typically the Unix user name).
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    template1   all         192.168.93.0/24       ident sameuser

! # The same as the last line but using a separate netmask column
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    template1   all         192.168.93.0  255.255.255.0   ident sameuser

  # Allow a user from host 192.168.12.10 to connect to database
  # "template1" if the user's password is correctly supplied.
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    template1   all         192.168.12.10/32      md5

  # In the absence of preceding "host" lines, these two lines will
  # reject all connection from 192.168.54.1 (since that entry will be
***************
*** 495,503 ****
  # on the Internet.  The zero mask means that no bits of the host IP
  # address are considered so it matches any host.
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! host    all         all         192.168.54.1      255.255.255.255   reject
! host    all         all         0.0.0.0           0.0.0.0           krb5

  # Allow users from 192.168.x.x hosts to connect to any database, if
  # they pass the ident check.  If, for example, ident says the user is
--- 490,498 ----
  # on the Internet.  The zero mask means that no bits of the host IP
  # address are considered so it matches any host.
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    all         all         192.168.54.1/32       reject
! host    all         all         0.0.0.0/0             krb5

  # Allow users from 192.168.x.x hosts to connect to any database, if
  # they pass the ident check.  If, for example, ident says the user is
***************
*** 505,512 ****
  # connection is allowed if there is an entry in pg_ident.conf for map
  # "omicron" that says "bryanh" is allowed to connect as "guest1".
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
! host    all         all         192.168.0.0       255.255.0.0       ident omicron

  # If these are the only three lines for local connections, they will
  # allow local users to connect only to their own databases (databases
--- 500,507 ----
  # connection is allowed if there is an entry in pg_ident.conf for map
  # "omicron" that says "bryanh" is allowed to connect as "guest1".
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
! host    all         all         192.168.0.0/16        ident omicron

  # If these are the only three lines for local connections, they will
  # allow local users to connect only to their own databases (databases
***************
*** 515,521 ****
  # $PGDATA/admins contains a list of user names.  Passwords are required in
  # all cases.
  #
! # TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD
  local   sameuser    all                                             md5
  local   all         @admins                                         md5
  local   all         +support                                        md5
--- 510,516 ----
  # $PGDATA/admins contains a list of user names.  Passwords are required in
  # all cases.
  #
! # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
  local   sameuser    all                                             md5
  local   all         @admins                                         md5
  local   all         +support                                        md5
***************
*** 959,961 ****
--- 954,957 ----
    </sect1>

   </chapter>
+
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.52
diff -c -c -r1.52 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample    26 Aug 2004 13:44:38 -0000    1.52
--- src/backend/libpq/pg_hba.conf.sample    26 Aug 2004 16:11:09 -0000
***************
*** 28,38 ****
  #
  # CIDR-ADDRESS specifies the set of hosts the record matches.
  # It is made up of an IP address and a CIDR mask that is an integer
! # between 0 and 32 (IPv6) or 128(IPv6) inclusive, that specifies
! # the number of significant bits in the mask, e.g. an IPv4 CIDR mask
! # of 8 is equivalent to an IP mask of 255.0.0.0, an IPv6 CIDR mask
! # of 64 is equivalent to an IP mask of ffff:ffff:ffff:ffff::. A
! # IPv4 CIDR mask of 32 is used for single hosts. Also, you can use a
  # separate IP address and netmask to specify the set of hosts.
  #
  # METHOD can be "trust", "reject", "md5", "crypt", "password",
--- 28,35 ----
  #
  # CIDR-ADDRESS specifies the set of hosts the record matches.
  # It is made up of an IP address and a CIDR mask that is an integer
! # (between 0 and 32 (IPv6) or 128(IPv6) inclusive) that specifies
! # the number of significant bits in the mask  Also, you can use a
  # separate IP address and netmask to specify the set of hosts.
  #
  # METHOD can be "trust", "reject", "md5", "crypt", "password",

pgsql-patches by date:

Previous
From: "Dave Page"
Date:
Subject: Re: [pgsql-hackers-win32] postmaster.pid
Next
From: pgsql@mohawksoft.com
Date:
Subject: Contrib Shared varaibles