pg_hba.conf and IP-MASK
We have an IP-MASK column in pg_hba.conf. Now that we are using CIDR
addresses by default, should we remove the column label?
We still support the a netmask value if they don't use CIDR format, but
now that the default is CIDR, it seems we should remove the column
label.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian wrote:
We have an IP-MASK column in pg_hba.conf. Now that we are using CIDR
addresses by default, should we remove the column label?
I would mark it optional.
We still support the a netmask value if they don't use CIDR format, but
now that the default is CIDR, it seems we should remove the column
label.
--
Command Prompt, Inc., home of Mammoth PostgreSQL - S/ODBC and S/JDBC
Postgresql support, programming shared hosting and dedicated hosting.
+1-503-667-4564 - jd@commandprompt.com - http://www.commandprompt.com
PostgreSQL Replicator -- production quality replication for PostgreSQLJoshua D. Drake wrote:
Bruce Momjian wrote:
We have an IP-MASK column in pg_hba.conf. Now that we are using CIDR
addresses by default, should we remove the column label?I would mark it optional.
We could do that, but we could use the space if we removed it. One
other confusing thing is that it isn't the last column in the row, so it
is optional only if you used CIDR format --- kind of strange.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian said:
Joshua D. Drake wrote:
Bruce Momjian wrote:
We have an IP-MASK column in pg_hba.conf. Now that we are using CIDR
addresses by default, should we remove the column label?I would mark it optional.
We could do that, but we could use the space if we removed it. One
other confusing thing is that it isn't the last column in the row, so
it is optional only if you used CIDR format --- kind of strange.
The syntax rule (debated at length around May last year when this work was
done) is that you have to have either addr/nn for CIDR format or
addr<space>mask for the old-style format - both are documented in
ph_hba.conf and in the docs. So in fact the IP-MASK column is not optional
at all - it must be present if, and only if, you did not use a CIDR mask.
Since our defaults don't use old-style masks any more, I would be tempted to
remove the column labels for IP-ADDRESS and IP-MASK, and instead put in a
single heading of IP-ADDRESS/CIDR-MASK. If people want to use old-style
masks there is plenty of info on how to, without extra column headings.
cheers
andrew
"Andrew Dunstan" <andrew@dunslane.net> writes:
Since our defaults don't use old-style masks any more, I would be tempted to
remove the column labels for IP-ADDRESS and IP-MASK, and instead put in a
single heading of IP-ADDRESS/CIDR-MASK.
I don't know why there is any debate about this. When I said "fix the
comments to agree with the code", the column headings were certainly
one of the things I had in mind. You should have done that in the
original patch.
regards, tom lane
Andrew Dunstan wrote:
Tom Lane said:
"Andrew Dunstan" <andrew@dunslane.net> writes:
Since our defaults don't use old-style masks any more, I would be
tempted to remove the column labels for IP-ADDRESS and IP-MASK, and
instead put in a single heading of IP-ADDRESS/CIDR-MASK.I don't know why there is any debate about this. When I said "fix the
comments to agree with the code", the column headings were certainly
one of the things I had in mind. You should have done that in the
original patch.Then I apologise. As I think I indicated, my time is very limited right now.
So rather than submit things that are incomplete I will be refraining from
pretty much any pg work for a while - I already did a lot more that I
originally set as my goals for this release.
I will complete any adjustments. Thanks.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Import Notes
Reply to msg id not found: 4201.24.211.141.25.1093197252.squirrel@www.dunslane.net | Resolved by subject fallback
Tom Lane said:
"Andrew Dunstan" <andrew@dunslane.net> writes:
Since our defaults don't use old-style masks any more, I would be
tempted to remove the column labels for IP-ADDRESS and IP-MASK, and
instead put in a single heading of IP-ADDRESS/CIDR-MASK.I don't know why there is any debate about this. When I said "fix the
comments to agree with the code", the column headings were certainly
one of the things I had in mind. You should have done that in the
original patch.
Then I apologise. As I think I indicated, my time is very limited right now.
So rather than submit things that are incomplete I will be refraining from
pretty much any pg work for a while - I already did a lot more that I
originally set as my goals for this release.
cheers
andrew
OK, doc patch attached and applied that prefers CIDR format for pg_hba.conf.
---------------------------------------------------------------------------
Andrew Dunstan wrote:
Tom Lane said:
"Andrew Dunstan" <andrew@dunslane.net> writes:
Since our defaults don't use old-style masks any more, I would be
tempted to remove the column labels for IP-ADDRESS and IP-MASK, and
instead put in a single heading of IP-ADDRESS/CIDR-MASK.I don't know why there is any debate about this. When I said "fix the
comments to agree with the code", the column headings were certainly
one of the things I had in mind. You should have done that in the
original patch.Then I apologise. As I think I indicated, my time is very limited right now.
So rather than submit things that are incomplete I will be refraining from
pretty much any pg work for a while - I already did a lot more that I
originally set as my goals for this release.cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Attachments:
/bjm/difftext/plainDownload
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.65
diff -c -c -r1.65 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 23 Mar 2004 01:23:48 -0000 1.65
--- doc/src/sgml/client-auth.sgml 26 Aug 2004 16:11:06 -0000
***************
*** 86,97 ****
A record may have one of the seven formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
- hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
</synopsis>
The meaning of the fields is as follows:
--- 86,97 ----
A record may have one of the seven formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
+ host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
+ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
+ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
</synopsis>
The meaning of the fields is as follows:
***************
*** 196,214 ****
</varlistentry>
<varlistentry>
! <term><replaceable>IP-address</replaceable></term>
! <term><replaceable>IP-mask</replaceable></term>
<listitem>
<para>
! These two fields contain IP address and mask values in standard
! dotted decimal notation. (IP addresses can only be specified
! numerically, not as domain or host names.) Taken together they
! specify the client machine IP addresses that this record
! matches. The precise logic is that
! <programlisting>
! (<replaceable>actual-IP-address</replaceable> xor <replaceable>IP-address-field</replaceable>) and <replaceable>IP-mask-field</replaceable>
! </programlisting>
! must be zero for the record to match.
</para>
<para>
--- 196,218 ----
</varlistentry>
<varlistentry>
! <term><replaceable>CIDR-address</replaceable></term>
<listitem>
<para>
! specifies the client machine IP addresses that this record
! matches. It contains an IP address in standard dotted decimal
! notation and a CIDR mask length. (IP addresses can only be
! specified numerically, not as domain or host names.) For example,
! an IPv4 CIDR mask of 8 is equivalent to an IP mask of 255.0.0.0,
! an IPv6 CIDR mask of 64 is equivalent to an IP mask of
! ffff:ffff:ffff:ffff::. A IPv4 CIDR mask of 32 is used for single
! hosts.
! </para>
!
! <para>
! A typical CIDR address is <literal>172.20.143.89/32</literal>.
! There should be no white space between the IP address, the
! <literal>/</literal>, and the CIDR mask length.
</para>
<para>
***************
*** 229,254 ****
</varlistentry>
<varlistentry>
<term><replaceable>IP-masklen</replaceable></term>
<listitem>
<para>
! This field may be used as an alternative to the
! <replaceable>IP-mask</replaceable> notation. It is an integer
! specifying the number of high-order bits to set in the mask.
! The number must be between 0 and 32 (in the case of an IPv4
! address) or 128 (in the case of an IPv6 address) inclusive. 0
! will match any address, while 32 (or 128, respectively) will
! match only the exact host specified. The same matching logic
! is used as for a dotted notation
! <replaceable>IP-mask</replaceable>.
! </para>
!
! <para>
! There must be no white space between the
! <replaceable>IP-address</replaceable> and the
! <literal>/</literal> or the <literal>/</literal> and the
! <replaceable>IP-masklen</replaceable>, or the file will not be
! parsed correctly.
</para>
<para>
--- 233,249 ----
</varlistentry>
<varlistentry>
+ <term><replaceable>IP-address</replaceable></term>
<term><replaceable>IP-masklen</replaceable></term>
<listitem>
<para>
! This may be used as an alternative to the
! <replaceable>CIDR-address</replaceable> notation. Instead of
! specifying the mask length, the actual mask is specified in a
! separate column. For example, 255.0.0.0 represents a IPv4 CIDR
! mask length of 8, and 255.255.255.255 represents a CIDR mask
! length of 32. The same matching logic is used as for a dotted
! notation <replaceable>IP-mask</replaceable>.
</para>
<para>
***************
*** 458,493 ****
# any user name using Unix-domain sockets (the default for local
# connections).
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! local all all trust
# The same using local loopback TCP/IP connections.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 127.0.0.1 255.255.255.255 trust
! # The same as the last line but using a CIDR mask
#
! # TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD
! host all all 127.0.0.1/32 trust
# Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident reports for
# the connection (typically the Unix user name).
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host template1 all 192.168.93.0 255.255.255.0 ident sameuser
! # The same as the last line but using a CIDR mask
#
! # TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD
! host template1 all 192.168.93.0/24 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password is correctly supplied.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host template1 all 192.168.12.10 255.255.255.255 md5
# In the absence of preceding "host" lines, these two lines will
# reject all connection from 192.168.54.1 (since that entry will be
--- 453,488 ----
# any user name using Unix-domain sockets (the default for local
# connections).
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! local all all trust
# The same using local loopback TCP/IP connections.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 127.0.0.1/32 trust
! # The same as the last line but using a separate netmask column
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 127.0.0.1 255.255.255.255 trust
# Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident reports for
# the connection (typically the Unix user name).
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.93.0/24 ident sameuser
! # The same as the last line but using a separate netmask column
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password is correctly supplied.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host template1 all 192.168.12.10/32 md5
# In the absence of preceding "host" lines, these two lines will
# reject all connection from 192.168.54.1 (since that entry will be
***************
*** 495,503 ****
# on the Internet. The zero mask means that no bits of the host IP
# address are considered so it matches any host.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 192.168.54.1 255.255.255.255 reject
! host all all 0.0.0.0 0.0.0.0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check. If, for example, ident says the user is
--- 490,498 ----
# on the Internet. The zero mask means that no bits of the host IP
# address are considered so it matches any host.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 192.168.54.1/32 reject
! host all all 0.0.0.0/0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check. If, for example, ident says the user is
***************
*** 505,512 ****
# connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1".
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
! host all all 192.168.0.0 255.255.0.0 ident omicron
# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
--- 500,507 ----
# connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1".
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
! host all all 192.168.0.0/16 ident omicron
# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
***************
*** 515,521 ****
# $PGDATA/admins contains a list of user names. Passwords are required in
# all cases.
#
! # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local sameuser all md5
local all @admins md5
local all +support md5
--- 510,516 ----
# $PGDATA/admins contains a list of user names. Passwords are required in
# all cases.
#
! # TYPE DATABASE USER CIDR-ADDRESS METHOD
local sameuser all md5
local all @admins md5
local all +support md5
***************
*** 959,961 ****
--- 954,957 ----
</sect1>
</chapter>
+
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.52
diff -c -c -r1.52 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample 26 Aug 2004 13:44:38 -0000 1.52
--- src/backend/libpq/pg_hba.conf.sample 26 Aug 2004 16:11:09 -0000
***************
*** 28,38 ****
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
! # between 0 and 32 (IPv6) or 128(IPv6) inclusive, that specifies
! # the number of significant bits in the mask, e.g. an IPv4 CIDR mask
! # of 8 is equivalent to an IP mask of 255.0.0.0, an IPv6 CIDR mask
! # of 64 is equivalent to an IP mask of ffff:ffff:ffff:ffff::. A
! # IPv4 CIDR mask of 32 is used for single hosts. Also, you can use a
# separate IP address and netmask to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
--- 28,35 ----
#
# CIDR-ADDRESS specifies the set of hosts the record matches.
# It is made up of an IP address and a CIDR mask that is an integer
! # (between 0 and 32 (IPv6) or 128(IPv6) inclusive) that specifies
! # the number of significant bits in the mask Also, you can use a
# separate IP address and netmask to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",