Thread: Improving pg_hba.conf
We have the following item on TODO: * Overhaul pg_hba.conf host-based authentication Can people tell me what they want changed. I know we need the pg_shadow password field encrypted in the table and I will work on that now. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
I don't think that belongs in pg_hba.conf. > On Tue, 12 Jun 2001, Bruce Momjian wrote: > > It might be work while to add restrictions in the config file for user > level locking, I realize that it can be done now...but having it in the > pg_hba.conf file could make it easier... > > > > > We have the following item on TODO: > > > > * Overhaul pg_hba.conf host-based authentication > > > > Can people tell me what they want changed. I know we need the pg_shadow > > password field encrypted in the table and I will work on that now. > > > > -- > > Bruce Momjian | http://candle.pha.pa.us > > pgman@candle.pha.pa.us | (610) 853-3000 > > + If your life is a hard drive, | 830 Blythe Avenue > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Don't 'kill -9' the postmaster > > > > Chris Bowlby, > ----------------------------------------------------- > Web Developer @ Hub.org. > excalibur@hub.org > www.hub.org > 1-902-542-3657 > ----------------------------------------------------- > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
On Tue, 12 Jun 2001, Bruce Momjian wrote: It might be work while to add restrictions in the config file for user level locking, I realize that it can be done now...but having it in the pg_hba.conf file could make it easier... > We have the following item on TODO: > > * Overhaul pg_hba.conf host-based authentication > > Can people tell me what they want changed. I know we need the pg_shadow > password field encrypted in the table and I will work on that now. > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster > Chris Bowlby,-----------------------------------------------------Web Developer @ Hub.org.excalibur@hub.orgwww.hub.org1-902-542-3657-----------------------------------------------------
Bruce Momjian wrote: > > We have the following item on TODO: > > * Overhaul pg_hba.conf host-based authentication > > Can people tell me what they want changed. I know we need the pg_shadow > password field encrypted in the table and I will work on that now. Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes for free when you reinitialize and restore a database?
> Bruce Momjian wrote: > > > > We have the following item on TODO: > > > > * Overhaul pg_hba.conf host-based authentication > > > > Can people tell me what they want changed. I know we need the pg_shadow > > password field encrypted in the table and I will work on that now. > > Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes > for free when you reinitialize and restore a database? The file has to be read by the postmaster and the postmaster has no access to data tables for speed and security reasons. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
mlw writes: > Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes > for free when you reinitialize and restore a database? Because if you hosed that table you would have hosed your entire installation. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Chris Bowlby writes: > It might be work while to add restrictions in the config file for user > level locking, I realize that it can be done now...but having it in the > pg_hba.conf file could make it easier... This would be mostly pointless since you can create locks with judicious use of insert/update/delete. I don't suppose you want to let those commands run without the appropriate locks. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Peter Eisentraut wrote: > mlw writes: > > > Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes > > for free when you reinitialize and restore a database? > > Because if you hosed that table you would have hosed your entire > installation. > You could use a bki script to fix the problem in stand alone mode if need be. I don't think breaking this table is really an issue. My only concerns would be the chicken vs egg problem connecting to the system, and security. Assuming these issues could be resolved, I think having this info in a table would be beneficial for maintenance.
> We have the following item on TODO: > > * Overhaul pg_hba.conf host-based authentication > > Can people tell me what they want changed. I know we need the pg_shadow > password field encrypted in the table and I will work on that now. I haven't heard of any more issues with pg_hba.conf so I will mark the item as done. I did cleanup the comments in the file. I have also added a TODO item: * Read pg_hba.conf only on postmaster startup or SIGHUP -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
> > >I haven't heard of any more issues with pg_hba.conf so I will mark the >item as done. I did cleanup the comments in the file. I have also >added a TODO item: > > * Read pg_hba.conf only on postmaster startup or SIGHUP > If you do this, can you add an access table for secondary lookups? I tend to update host access frequently and personally I think it'd be dandy to have a table that can be updated for access as well as the primary pg_hba.conf file. David
> > > > > >I haven't heard of any more issues with pg_hba.conf so I will mark the > >item as done. I did cleanup the comments in the file. I have also > >added a TODO item: > > > > * Read pg_hba.conf only on postmaster startup or SIGHUP > > > > If you do this, can you add an access table for secondary lookups? I > tend to update host access frequently and personally I think it'd be > dandy to have a table that can be updated for access as well as the > primary pg_hba.conf file. Sorry, I don't understand what secondary lookups are. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
What I mean is, do host lookups first in the text file, then if a pg_hostaccess table (example) exists, check it for host entries. This alleviates HUP or restart etc. to reload a config file. David Bruce Momjian wrote: >>> >>>I haven't heard of any more issues with pg_hba.conf so I will mark the >>>item as done. I did cleanup the comments in the file. I have also >>>added a TODO item: >>> >>> * Read pg_hba.conf only on postmaster startup or SIGHUP >>> >>If you do this, can you add an access table for secondary lookups? I >>tend to update host access frequently and personally I think it'd be >>dandy to have a table that can be updated for access as well as the >>primary pg_hba.conf file. >> > >Sorry, I don't understand what secondary lookups are. >
> What I mean is, do host lookups first in the text file, then if a > pg_hostaccess table (example) exists, check it for host entries. This > alleviates HUP or restart etc. to reload a config file. Can't do that. Postmaster has no database access. Must be fast. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026