Thread: purpose of an entry in pg_hba.conf file

purpose of an entry in pg_hba.conf file

From
Atul Kumar
Date:
Hi,

As you know already,  pg_hba.conf file always has the below entry after successful installation of postgres.

host    all             all             127.0.0.1/32            trust


Please let me know what is the exact purpose of this entry and what would be the impact of removing it on other tools/processes like pgbouncer, pem, replication etc  ?



Regards,

Atul

Re: purpose of an entry in pg_hba.conf file

From
"David G. Johnston"
Date:
On Wed, Oct 25, 2023 at 5:11 PM Atul Kumar <akumar14871@gmail.com> wrote:
Hi,

As you know already,  pg_hba.conf file always has the below entry after successful installation of postgres.

host    all             all             127.0.0.1/32            trust


Please let me know what is the exact purpose of this entry and what would be the impact of removing it on other tools/processes like pgbouncer, pem, replication etc  ?



While that may be a true statement for installation from source I'm pretty certain most packagers have a more tightly controlled setup that doesn't involve "trust" authentication.

The reason behind choosing to include that specific line is to minimize the amount of post-install effort needed for one to connect to the server from the local machine, which is often a personal machine with only the "DBA" having access to it.

The better and more widely implemented default is requiring a password for host while accepting peer for local.

All external tools should be told what credentials to use to connect to the server and those credentials added to the system and a more restrictive pg_hba.conf entry added to permit those connections.  All trust connections in pg_hba.conf should be removed from it as quickly as possible.

David J.


Re: purpose of an entry in pg_hba.conf file

From
Atul Kumar
Date:
as per response

"It allows anyone/anything on the local machine to connect to the database without authentication.  Whether that impacts any particular one/thing depends on your personal setup."

There is already one line to serve your stated purpose
local       all      all                                trust


That's why I specifically raised this question for below from postgresql experts
host    all             all             127.0.0.1/32            trust

So still I am not able to find a valid reason for keeping this entry. So please help me in explaining the same.


Regards,

On Thu, Oct 26, 2023 at 11:56 PM David G. Johnston <david.g.johnston@gmail.com> wrote:
Always reply to the list, it is ok to CC individuals.  Also, the convention here is to inline post (or bottom if you must) as in my first reply; not top-post as you and I have done here.

I'd suggest also putting into your own words what you believe the entry is providing/enabling.  Read the relevant documentation for aid in formulating such a description.

It allows anyone/anything on the local machine to connect to the database without authentication.  Whether that impacts any particular one/thing depends on your personal setup.

David J.

On Thu, Oct 26, 2023 at 11:04 AM Atul Kumar <akumar14871@gmail.com> wrote:
Hi,

Could you elaborate more as it seems that your response doesn't satisfy my query which is "what is the exact purpose of this entry and what would be the impact of removing it on other tools/processes like pgbouncer, pem, replication etc  ?"

I am yet to understand the impact of removing this entry.


Regards.

On Thu, Oct 26, 2023 at 5:52 AM David G. Johnston <david.g.johnston@gmail.com> wrote:
On Wed, Oct 25, 2023 at 5:11 PM Atul Kumar <akumar14871@gmail.com> wrote:
Hi,

As you know already,  pg_hba.conf file always has the below entry after successful installation of postgres.

host    all             all             127.0.0.1/32            trust


Please let me know what is the exact purpose of this entry and what would be the impact of removing it on other tools/processes like pgbouncer, pem, replication etc  ?



While that may be a true statement for installation from source I'm pretty certain most packagers have a more tightly controlled setup that doesn't involve "trust" authentication.

The reason behind choosing to include that specific line is to minimize the amount of post-install effort needed for one to connect to the server from the local machine, which is often a personal machine with only the "DBA" having access to it.

The better and more widely implemented default is requiring a password for host while accepting peer for local.

All external tools should be told what credentials to use to connect to the server and those credentials added to the system and a more restrictive pg_hba.conf entry added to permit those connections.  All trust connections in pg_hba.conf should be removed from it as quickly as possible.

David J.


Re: purpose of an entry in pg_hba.conf file

From
Christophe Pettus
Date:

> On Oct 26, 2023, at 11:44, Atul Kumar <akumar14871@gmail.com> wrote:
> There is already one line to serve your stated purpose
> local       all      all                                trust
>
>
> That's why I specifically raised this question for below from postgresql experts
> host    all             all             127.0.0.1/32            trust

The first line applies to local sockets; the second to connections over the local loopback network port.


Re: purpose of an entry in pg_hba.conf file

From
Atul Kumar
Date:
Please share the required link having such information in detail, It would be more helpful to me.



Regards.

On Fri, Oct 27, 2023 at 12:16 AM Christophe Pettus <xof@thebuild.com> wrote:


> On Oct 26, 2023, at 11:44, Atul Kumar <akumar14871@gmail.com> wrote:
> There is already one line to serve your stated purpose
> local       all      all                                trust
>
>
> That's why I specifically raised this question for below from postgresql experts
> host    all             all             127.0.0.1/32            trust

The first line applies to local sockets; the second to connections over the local loopback network port.

Re: purpose of an entry in pg_hba.conf file

From
Christophe Pettus
Date:

> On Oct 26, 2023, at 11:53, Atul Kumar <akumar14871@gmail.com> wrote:
>
> Please share the required link having such information in detail, It would be more helpful to me.

    https://www.postgresql.org/docs/current/auth-pg-hba-conf.html