Re: Should database = all in pg_hba.conf match a replication connection? - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Should database = all in pg_hba.conf match a replication connection?
Date
Msg-id 4927198544210548164@unknownmsgid
Whole thread Raw
In response to Should database = all in pg_hba.conf match a replication connection?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Should database = all in pg_hba.conf match a replication connection?
List pgsql-hackers
On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I spent a fair amount of time just now being confused about why
> pg_hba.conf restrictions on replication connections didn't seem to be
> getting enforced.  After looking at the code, I realize that my entry
> with database = "replication" was indeed getting rejected as not
> matching, but then the hba code was falling through and matching an
> entry with database = "all".  This is not the behavior I expected
> after
> looking at the docs; the docs seem to imply that SR connections must
> match an explicit replication entry in pg_hba.conf in order to
> succeed.
>
> Should we change this?  It seems to me to be a good thing on security
> grounds if replication connections can't be made through a generic
> pg_hba entry.

+1.

...Robert

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Thoughts on pg_hba.conf rejection
Next
From: Tom Lane
Date:
Subject: Re: [DOCS] Streaming replication document improvements