On Tue, Mar 11, 2008 at 10:36 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "Scott Marlowe" <scott.marlowe@gmail.com> writes:
> > I was just looking for something in the admin docs, and it seems like
> > the ordering of sections is sub-optimal.
>
> > 17. Operating System Environment
> > 18. Server Configuration
> > 19. Database Roles and Privileges
> > 20. Managing Databases
> > 21. Client Authentication
>
> > Seems that Client Authentication should come right after Server
> > Configuration. After all, how is someone going to handle roles and
> > database creation before they've authenticated?
>
> Well, until you know what a role is, the client auth discussion might
> not make too much sense to you...
>
> I'm not wedded to the current ordering but I'm not sure it's silly
> either.
>
> Something else that ought to be considered here is that now that we have
> CONNECT privilege for databases, manipulating privileges is a lot saner
> way to control who-can-connect-where than setting up fancy combinations
> of user and database entries in pg_hba.conf. AFAIR there is no mention
> of this alternative in Chapter 21, but it seems like there ought to be.
> With your proposed reorganization, that would become a forward
> reference; is that OK?
I've deleted and rewritten this email like 4 times...
The more I read the docs, the more moving client authentication seems
to make sense. In fact, the authentication problems section is
probably the perfect final bit to the Connections and Authentication
section. I'd move it up a level, so that it looked something like
this:
18.3. Connections and Authentication
18.3.1. Connection Settings
18.3.2. Security and Authentication
18.3.3. The pg_hba.conf file
18.3.4. Authentication methods
18.3.5. Authentication problems
Unless a different level of indentation makes more sense, which I
could totally understand.
It definitely follows the flow of setting up a pg server better for
me. I might even move the pg_hba.conf file to 18.3.1 up there. It is
pretty much a firewall.