Re: Hostnames in pg_hba.conf - Mailing list pgsql-hackers
From | Bart Samwel |
---|---|
Subject | Re: Hostnames in pg_hba.conf |
Date | |
Msg-id | ded01eb21002111412h63388f82p5fc16a17473bdfc1@mail.gmail.com Whole thread Raw |
In response to | Re: Hostnames in pg_hba.conf (Mark Mielke <mark@mark.mielke.cc>) |
Responses |
Re: Hostnames in pg_hba.conf
|
List | pgsql-hackers |
On Thu, Feb 11, 2010 at 23:01, Mark Mielke <mark@mark.mielke.cc> wrote:
I don't think we're talking about the same thing here. I wasn't suggesting doing hostname-plus-netmask. NO! I was suggesting that where a lazy sysadmin would previously configure by subnet, they might switch to more fine-grained hostname-based configuration ONLY IF it doesn't require duplicating every line in pg_hba.conf for every host in the subnet.
On 02/11/2010 04:54 PM, Bart Samwel wrote:I'm mixed. In some situations, I've wanted to put multiple IP/netmask. I would say that if multiple names are supported, then multiple IP/netmask should be supported. But, this does make the lines unwieldy beyond two or three. This direction leans towards the capability to define "host classes", where the rules allows the host class, and the host class can have a list of hostnames.ISSUE #3: Multiple hostnames?
Currently, a pg_hba entry lists an IP / netmask combination. I would suggest allowing lists of hostnames in the entries, so that you can at least mimic the "match multiple hosts by a single rule". Any reason not to do this?
Yes, but before you know it people will ask for being able to specify multiple host classes. :-) Quite simply put, with a single subnet you can allow multiple hosts in. Allowing only a single hostname is a step backward from that, so adding support for multiple hostnames could be useful if somebody is replacing subnets with hostname-based configuration.
This implies two aspects which may not be true:
1) All hosts that I want to allow belong to the same subnet.
2) If I trust one host on the subnet, then I trust all hosts on the subnet.
While the above two points are often true, they are not universally true.
I don't think we're talking about the same thing here. I wasn't suggesting doing hostname-plus-netmask. NO! I was suggesting that where a lazy sysadmin would previously configure by subnet, they might switch to more fine-grained hostname-based configuration ONLY IF it doesn't require duplicating every line in pg_hba.conf for every host in the subnet.
2) What will you do if they specify a hostname and a netmask? This seems like a convenient way of saying "everybody on the same subnet as NAME."
Not supported. Either an IP address / netmask combo, or a hostname, but not both. I wouldn't want to recommend hardcoding something such as netmasks (which are definitely subnet dependent) in combination with something as volatile as a host name -- move it to a different subnet, and you might allow a whole bigger subnet than you intended. If they want to specify a netmask, then they should just use hardcoded IPs as well.
Ah yes, I recall this from a previous thread. I think I also disagreed on the other thread. :-)
I thought of a use for reverse lookup - it would allow wild card hostnames. Still, that's an advanced feature that might be for later... :-)
I think wildcards are interesting, but I have yet to see an actual use case other than "it's cool and very generalized". In my mind (tell me if I'm wrong), the most common type of PostgreSQL authentication setup is within a local network within an organization. There, you either authorize an entire subnet ("the entire server park" or "all client PCs") or you authorize specific hosts (single IP address). The wildcard case is for replacing the first case, but for that case, subnets are usually just fine. I'm trying to target the second case here.
Cheers,
Bart
pgsql-hackers by date: