OK, doc patch attached and applied that prefers CIDR format for pg_hba.conf.
---------------------------------------------------------------------------
Andrew Dunstan wrote:
> Tom Lane said:
> > "Andrew Dunstan" <andrew@dunslane.net> writes:
> >> Since our defaults don't use old-style masks any more, I would be
> >> tempted to remove the column labels for IP-ADDRESS and IP-MASK, and
> >> instead put in a single heading of IP-ADDRESS/CIDR-MASK.
> >
> > I don't know why there is any debate about this. When I said "fix the
> > comments to agree with the code", the column headings were certainly
> > one of the things I had in mind. You should have done that in the
> > original patch.
> >
>
> Then I apologise. As I think I indicated, my time is very limited right now.
> So rather than submit things that are incomplete I will be refraining from
> pretty much any pg work for a while - I already did a lot more that I
> originally set as my goals for this release.
>
> cheers
>
> andrew
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.65
diff -c -c -r1.65 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 23 Mar 2004 01:23:48 -0000 1.65
--- doc/src/sgml/client-auth.sgml 26 Aug 2004 16:11:06 -0000
***************
*** 86,97 ****
A record may have one of the seven formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- host <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- hostssl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
</synopsis>
The meaning of the fields is as follows:
--- 86,97 ----
A record may have one of the seven formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
+ host <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
+ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
+ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable>
<optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
</synopsis>
The meaning of the fields is as follows:
***************
*** 196,214 ****
</varlistentry>
<varlistentry>
! <term><replaceable>IP-address</replaceable></term>
! <term><replaceable>IP-mask</replaceable></term>
<listitem>
<para>
! These two fields contain IP address and mask values in standard
! dotted decimal notation. (IP addresses can only be specified
! numerically, not as domain or host names.) Taken together they
! specify the client machine IP addresses that this record
! matches. The precise logic is that
! <programlisting>
! (<replaceable>actual-IP-address</replaceable> xor <replaceable>IP-address-field</replaceable>) and
<replaceable>IP-mask-field</replaceable>
! </programlisting>
! must be zero for the record to match.
</para>
<para>
--- 196,218 ----
</varlistentry>
<varlistentry>
! <term><replaceable>CIDR-address</replaceable></term>
<listitem>
<para>
! specifies the client machine IP addresses that this record
! matches. It contains an IP address in standard dotted decimal
! notation and a CIDR mask length. (IP addresses can only be
! specified numerically, not as domain or host names.) For example,
! an IPv4 CIDR mask of 8 is equivalent to an IP mask of 255.0.0.0,
! an IPv6 CIDR mask of 64 is equivalent to an IP mask of
! ffff:ffff:ffff:ffff::. A IPv4 CIDR mask of 32 is used for single
! hosts.
! </para>
!
! <para>
! A typical CIDR address is <literal>172.20.143.89/32</literal>.
! There should be no white space between the IP address, the
! <literal>/</literal>, and the CIDR mask length.
</para>
<para>
***************
*** 229,254 ****
</varlistentry>
<varlistentry>
<term><replaceable>IP-masklen</replaceable></term>
<listitem>
<para>
! This field may be used as an alternative to the
! <replaceable>IP-mask</replaceable> notation. It is an integer
! specifying the number of high-order bits to set in the mask.
! The number must be between 0 and 32 (in the case of an IPv4
! address) or 128 (in the case of an IPv6 address) inclusive. 0
! will match any address, while 32 (or 128, respectively) will
! match only the exact host specified. The same matching logic
! is used as for a dotted notation
! <replaceable>IP-mask</replaceable>.
! </para>
!
! <para>
! There must be no white space between the
! <replaceable>IP-address</replaceable> and the
! <literal>/</literal> or the <literal>/</literal> and the
! <replaceable>IP-masklen</replaceable>, or the file will not be
! parsed correctly.
</para>
<para>
--- 233,249 ----
</varlistentry>
<varlistentry>
+ <term><replaceable>IP-address</replaceable></term>
<term><replaceable>IP-masklen</replaceable></term>
<listitem>
<para>
! This may be used as an alternative to the
! <replaceable>CIDR-address</replaceable> notation. Instead of
! specifying the mask length, the actual mask is specified in a
! separate column. For example, 255.0.0.0 represents a IPv4 CIDR
! mask length of 8, and 255.255.255.255 represents a CIDR mask
! length of 32. The same matching logic is used as for a dotted
! notation <replaceable>IP-mask</replaceable>.
</para>
<para>
***************
*** 458,493 ****
# any user name using Unix-domain sockets (the default for local
# connections).
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! local all all trust
# The same using local loopback TCP/IP connections.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 127.0.0.1 255.255.255.255 trust
! # The same as the last line but using a CIDR mask
#
! # TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD
! host all all 127.0.0.1/32 trust
# Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident reports for
# the connection (typically the Unix user name).
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host template1 all 192.168.93.0 255.255.255.0 ident sameuser
! # The same as the last line but using a CIDR mask
#
! # TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD
! host template1 all 192.168.93.0/24 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password is correctly supplied.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host template1 all 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will
# reject all connection from 192.168.54.1 (since that entry will be
--- 453,488 ----
# any user name using Unix-domain sockets (the default for local
# connections).
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! local all all trust
# The same using local loopback TCP/IP connections.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 127.0.0.1/32 trust
! # The same as the last line but using a separate netmask column
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 127.0.0.1 255.255.255.255 trust
# Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident reports for
# the connection (typically the Unix user name).
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.93.0/24 ident sameuser
! # The same as the last line but using a separate netmask column
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password is correctly supplied.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.12.10/32 md5
# In the absence of preceding "host" lines, these two lines will
# reject all connection from 192.168.54.1 (since that entry will be
***************
*** 495,503 ****
# on the Internet. The zero mask means that no bits of the host IP
# address are considered so it matches any host.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 192.168.54.1 255.255.255.255 reject
! host all all 0.0.0.0 0.0.0.0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check. If, for example, ident says the user is
--- 490,498 ----
# on the Internet. The zero mask means that no bits of the host IP
# address are considered so it matches any host.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 192.168.54.1/32 reject
! host all all 0.0.0.0/0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check. If, for example, ident says the user is
***************
*** 505,512 ****
# connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1".
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 192.168.0.0 255.255.0.0 ident omicron
# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
--- 500,507 ----
# connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1".
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 192.168.0.0/16 ident omicron
# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
***************
*** 515,521 ****
# $PGDATA/admins contains a list of user names. Passwords are required in
# all cases.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local sameuser all md5
local all @admins md5
local all +support md5
--- 510,516 ----
# $PGDATA/admins contains a list of user names. Passwords are required in
# all cases.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
local sameuser all md5
local all @admins md5
local all +support md5
***************
*** 959,961 ****
--- 954,957 ----
</sect1>
</chapter>
+
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.52
diff -c -c -r1.52 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample 26 Aug 2004 13:44:38 -0000 1.52
--- src/backend/libpq/pg_hba.conf.sample 26 Aug 2004 16:11:09 -0000
***************
*** 28,38 ****
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
! # between 0 and 32 (IPv6) or 128(IPv6) inclusive, that specifies
! # the number of significant bits in the mask, e.g. an IPv4 CIDR mask
! # of 8 is equivalent to an IP mask of 255.0.0.0, an IPv6 CIDR mask
! # of 64 is equivalent to an IP mask of ffff:ffff:ffff:ffff::. A
! # IPv4 CIDR mask of 32 is used for single hosts. Also, you can use a
# separate IP address and netmask to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
--- 28,35 ----
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
! # (between 0 and 32 (IPv6) or 128(IPv6) inclusive) that specifies
! # the number of significant bits in the mask Also, you can use a
# separate IP address and netmask to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
