Thread: [PATCH] initdb: Option description.
Hello there, the recent introduction of new options `--auth-local' and `--auth-host' have lead to some confusion in the help massage for inetdb, leaving an erroneous `local' for `--auth' and `--auth-host'. Please consider the following patch to improve the relevance. Best regards, Mats Erik Andersson
Attachment
On Mon, Nov 17, 2014 at 12:12 AM, Mats Erik Andersson <bsd@gisladisker.se> wrote: > Hello there, > > the recent introduction of new options `--auth-local' > and `--auth-host' have lead to some confusion in the > help massage for inetdb, leaving an erroneous `local' > for `--auth' and `--auth-host'. Please consider the > following patch to improve the relevance. Hi! The idea behind the current wording is that it only sets the authentication type for 127.0.0.1 and ::1 -- there is no entry in pg_hba.conf generated for non-local TCP/IP connections. Perhaps we could clarify it by saying "localhost TCP/IP" rather than "local TCP/IP" though? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
tisdag den 25 november 2014 klockan 13:52 skrev Magnus Hagander detta: > On Mon, Nov 17, 2014 at 12:12 AM, Mats Erik Andersson > <bsd@gisladisker.se> wrote: > > Hello there, > > > > the recent introduction of new options `--auth-local' > > and `--auth-host' have lead to some confusion in the > > help massage for inetdb, leaving an erroneous `local' > > for `--auth' and `--auth-host'. Please consider the > > following patch to improve the relevance. > > Hi! > > The idea behind the current wording is that it only sets the > authentication type for 127.0.0.1 and ::1 -- there is no entry in > pg_hba.conf generated for non-local TCP/IP connections. Perhaps we > could clarify it by saying "localhost TCP/IP" rather than "local > TCP/IP" though? Even admitting that the template is stated for localhost only, it seems clearer in my view to ignore this technicality in the message. Scaring the administrator slightly is no bad thing. My misinterpretation of "local" in "initdb.c" continues in two more messages, so let me mention also them in order to make the discussion complete. I accept to be contradicted, but letting others see the explicit changes might provoke [sic] an optimal motivation for any decision! Best regards, Mats Erik Andersson diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 3b52867..0dcceda 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -159,9 +159,9 @@ static char *dynamic_shared_memory_type = NULL; * Warning messages for authentication methods */ #define AUTHTRUST_WARNING \ -"# CAUTION: Configuring the system for local \"trust\" authentication\n" \ -"# allows any local user to connect as any PostgreSQL user, including\n" \ -"# the database superuser. If you do not trust all your local users,\n" \ +"# CAUTION: Configuring the system for \"trust\" authentication\n" \ +"# allows any user to connect as any PostgreSQL user, including\n" \ +"# the database superuser. If you do not trust all your users,\n" \ "# use another authentication method.\n" static char *authwarning = NULL; @@ -2868,8 +2868,8 @@ usage(const char *progname) printf(_("Usage:\n")); printf(_(" %s [OPTION]... [DATADIR]\n"), progname); printf(_("\nOptions:\n")); - printf(_(" -A, --auth=METHOD default authentication method for local connections\n")); - printf(_(" --auth-host=METHOD default authentication method for local TCP/IP connections\n")); + printf(_(" -A, --auth=METHOD default authentication method for all connections\n")); + printf(_(" --auth-host=METHOD default authentication method for TCP/IP connections\n")); printf(_(" --auth-local=METHOD default authentication method for local-socket connections\n")); printf(_(" [-D, --pgdata=]DATADIR location for this database cluster\n")); printf(_(" -E, --encoding=ENCODING set default encoding for new databases\n")); @@ -2906,7 +2906,7 @@ check_authmethod_unspecified(const char **authmethod) { if (*authmethod == NULL || strlen(*authmethod) == 0) { - authwarning = _("\nWARNING: enabling \"trust\" authentication for local connections\n" + authwarning = _("\nWARNING: Enabling \"trust\" authentication for some connections.\n" "You can change this by editing pg_hba.conf or using the option -A, or\n" "--auth-local and --auth-host, the next time you run initdb.\n"); *authmethod = "trust";
Magnus Hagander-2 wrote > On Mon, Nov 17, 2014 at 12:12 AM, Mats Erik Andersson > < > bsd@ > > wrote: >> Hello there, >> >> the recent introduction of new options `--auth-local' >> and `--auth-host' have lead to some confusion in the >> help massage for inetdb, leaving an erroneous `local' >> for `--auth' and `--auth-host'. Please consider the >> following patch to improve the relevance. > > Hi! > > The idea behind the current wording is that it only sets the > authentication type for 127.0.0.1 and ::1 -- there is no entry in > pg_hba.conf generated for non-local TCP/IP connections. Perhaps we > could clarify it by saying "localhost TCP/IP" rather than "local > TCP/IP" though? Or "loopback tcp/ip interface"... It would also maybe help to modify the second description paragraph to point out that initdb also creates the default postgres.conf and pg_hba.conf files; the later of which will contain two local-only connection methods (socket and tcp/ip via localhost) with the authentication set to trust but able to be overridden via the various --auth* related switches. David J. -- View this message in context: http://postgresql.nabble.com/PATCH-initdb-Option-description-tp5827166p5828461.html Sent from the PostgreSQL - bugs mailing list archive at Nabble.com.
Mats Erik Andersson wrote > tisdag den 25 november 2014 klockan 13:52 skrev Magnus Hagander detta: >> On Mon, Nov 17, 2014 at 12:12 AM, Mats Erik Andersson >> < > bsd@ > > wrote: >> > Hello there, >> > >> > the recent introduction of new options `--auth-local' >> > and `--auth-host' have lead to some confusion in the >> > help massage for inetdb, leaving an erroneous `local' >> > for `--auth' and `--auth-host'. Please consider the >> > following patch to improve the relevance. >> >> Hi! >> >> The idea behind the current wording is that it only sets the >> authentication type for 127.0.0.1 and ::1 -- there is no entry in >> pg_hba.conf generated for non-local TCP/IP connections. Perhaps we >> could clarify it by saying "localhost TCP/IP" rather than "local >> TCP/IP" though? > > Even admitting that the template is stated for localhost only, > it seems clearer in my view to ignore this technicality in the > message. Scaring the administrator slightly is no bad thing. I might quibble on the specific wording but making it clear that initdb only sets up locally accessible connections and permissions is accurate and doesn't need to instill more FUD than it does currently. If admins are going to add non-local access they should consult the documentation and will have to edit hba manually and should know that they are adding a trust method for those non-local connections. However, a user of initdb might not be aware that such is being done for them by default and so the limited warning there is useful. David J. -- View this message in context: http://postgresql.nabble.com/PATCH-initdb-Option-description-tp5827166p5828463.html Sent from the PostgreSQL - bugs mailing list archive at Nabble.com.