Re: pg_hba.conf: samehost and samenet - Mailing list pgsql-hackers
| From | Stef Walter |
|---|---|
| Subject | Re: pg_hba.conf: samehost and samenet |
| Date | |
| Msg-id | 20090814203231.CD2B13039746@mx.npubs.com Whole thread Raw |
| In response to | pg_hba.conf: samehost and samenet (Stef Walter <stef-list@memberwebs.com>) |
| Responses |
Re: pg_hba.conf: samehost and samenet
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-hackers |
Tom Lane wrote: > Magnus Hagander <magnus@hagander.net> writes: >> On Fri, Aug 14, 2009 at 00:50, Stef Walter<stef-list@memberwebs.com> wrote: >>> It would be great if, in the cidr-address field of pg_hba.conf, we could >>> specify "samehost" and "samenet". > >> Seems like a reasonable feature - especially the samehost part. > > ISTM people have traditionally used 127.0.0.1 and ::1 for "samehost" > behavior. Yes for sure. As noted in the original email 127.0.0.1 doesn't work as you would expect in BSD jails. As it currently stands, you have to put the local IP address to achieve similar access control. This causes major pains when renumbering or dealing with postgresql hosted in large amounts of jails. Another way we could sort of get around most of these renumbering problems, is by the ability to include host names in pg_hba.conf, rather than IP addresses. I first set out to implement this, but as advised in "How to Contribute" looked around the mailing lists for previous discussion on the topic and found this: http://archives.postgresql.org/pgsql-hackers/2008-06/msg00569.php There seems to be no consensus in the postgresql community about this feature, and its implementation. The last guy who tried to work on it got scared away, and so I decided to try an approach that might be more palatable. I'm willing to put in the work on either approach, and I could revive discussion about host names in pg_hba.conf if that's more desirable. What's being suggested here is a tad more flexible but > hardly a huge advance. As for "samenet", personally I'd be scared to > death of something like that --- who knows how wide the OS will > think your "net" is? (Think cable modem users on 10.x.x.x ...) > Using samenet in a conf file that's being handed out to random users > seems impossibly dangerous. I understand what you're saying. In this case it would be handed out to hosted clients and those sorts of users. ie: a controlled environment. Obviously this wouldn't go into the default postgresql pg_hba.conf. > However, I wouldn't object too much if it weren't for this: > >> * How portable is this? For starters is clearly doesn't do Windows, >> which would need to be investigated for similar functionality, but how >> many others support getifaddr()? From what I can tell it's not in >> POSIX, at least. > > I don't see it on HPUX, for one. Unless a portable solution can be > found I don't think we can consider this. We're not in the habit > of exposing significant functionality that's only available on some > platforms. True. I could build compatibility getifaddrs for various systems, if the community thought this patch was worth it, and would otherwise accept the patch. Cheers, Stef
pgsql-hackers by date: