Re: Thoughts on pg_hba.conf rejection - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Thoughts on pg_hba.conf rejection
Date
Msg-id 8190.1271718587@sss.pgh.pa.us
Whole thread Raw
In response to Re: Thoughts on pg_hba.conf rejection  (Simon Riggs <simon@2ndQuadrant.com>)
List pgsql-hackers
Simon Riggs <simon@2ndQuadrant.com> writes:
> With code as currently, yes, though I see that there is a way to do
> this. 

> Rules that have an "all" in the database field of the hba can be applied
> prior to attempting to select the database, as long as the "all" rule is
> above any database-specific rules.

Well, that's nice, but it's an awfully small subset of what the
pg_hba.conf rules might contain.  In particular you can't do anything
that involves group membership checks without access to the catalogs;
and I think a large fraction of installations that are exposed to
untrustworthy connections will be using password auth for them, which
means they still need to connect to the catalogs to get the password.

Now it's possible that we could have a prefilter that rejects
connections if they're coming from an IP address that cannot match
*any* of the pg_hba.conf rules.  Not sure how useful that would really
be in practice though.  It wouldn't do anything extra for people who
keep their DB server behind a firewall.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Greg Smith
Date:
Subject: Re: shared_buffers documentation
Next
From: Tom Lane
Date:
Subject: Re: Thoughts on pg_hba.conf rejection