Participants
Magnus Hagander
Magnus Hagander
Tom Lane
Tom Lane
Josh Berkus
Josh Berkus
Heikki Linnakangas
Heikki Linnakangas
Robert Haas
Robert Haas
Attachments

No attachments in this thread

Thread Outline
#1Magnus HaganderMagnus Hagander
Jan 16, 2011
#2Tom LaneTom Laneto Magnus Hagander (#1)
Jan 16, 2011
#3...#4
Josh BerkusHeikki Linnakangas
to Magnus Hagander (#1)
Jan 16, 2011
#3Josh BerkusJosh Berkusto Magnus Hagander (#1)
Jan 16, 2011
#4Heikki LinnakangasHeikki Linnakangasto Josh Berkus (#3)
Jan 17, 2011
#5Magnus HaganderMagnus Haganderto Heikki Linnakangas (#4)
Jan 17, 2011
#6Robert HaasRobert Haasto Heikki Linnakangas (#4)
Jan 17, 2011

replication and pg_hba.conf

Started by Magnus Haganderalmost 15 years ago6 messages
#1Magnus Hagander
Magnus Hagander
magnus@hagander.net

In 9.0, we specifically require using "replication" as database name
to start a replication session. In 9.1 we will have the REPLICATION
attribute to a role - should we change it so that "all" in database
includes replication connections? It certainly goes in the "principle
of least surprise" path..

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Magnus Hagander (#1)
Re: replication and pg_hba.conf

Magnus Hagander <magnus@hagander.net> writes:

In 9.0, we specifically require using "replication" as database name
to start a replication session. In 9.1 we will have the REPLICATION
attribute to a role - should we change it so that "all" in database
includes replication connections? It certainly goes in the "principle
of least surprise" path..

No, not at all. If we had set things up so that roles with replication
bit could *only* do replication, it might be sensible to think about
that, but we didn't.

regards, tom lane

#3Josh Berkus
Josh Berkus
josh@agliodbs.com
In reply to: Magnus Hagander (#1)
Re: replication and pg_hba.conf

In 9.0, we specifically require using "replication" as database name
to start a replication session. In 9.1 we will have the REPLICATION
attribute to a role - should we change it so that "all" in database
includes replication connections? It certainly goes in the "principle
of least surprise" path..

+1. It'll eliminate an entire file to edit for replication setup, so
does a lot to make initial replication setup easier.

--
-- Josh Berkus
PostgreSQL Experts Inc.
http://www.pgexperts.com

#4Heikki Linnakangas
Heikki Linnakangas
heikki.linnakangas@enterprisedb.com
In reply to: Josh Berkus (#3)
Re: replication and pg_hba.conf

On 16.01.2011 22:55, Josh Berkus wrote:

In 9.0, we specifically require using "replication" as database name
to start a replication session. In 9.1 we will have the REPLICATION
attribute to a role - should we change it so that "all" in database
includes replication connections? It certainly goes in the "principle
of least surprise" path..

+1. It'll eliminate an entire file to edit for replication setup, so
does a lot to make initial replication setup easier.

No, we should by secure by default. You usually want to lock down
tightly where replication connections can come from. You know the IP
addresses of your standby servers, so it shouldn't be hard to

If "all" includes replication connections, that makes it harder to
configure pg_hba.conf correctly so that you allow normal connections
from anywhere, but only allow replication connections from a specific IP
address. You'd need two lines, first one to accept replication
connections from the standby, and a second one to reject them from
anywhere else.

But I wonder if we should add lines in the default pg_hba.conf to
"trust" replication connections from loopback, like we do for normal
connections?

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

#5Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: Heikki Linnakangas (#4)
Re: replication and pg_hba.conf

On Mon, Jan 17, 2011 at 07:44, Heikki Linnakangas
<heikki.linnakangas@enterprisedb.com> wrote:

On 16.01.2011 22:55, Josh Berkus wrote:

In 9.0, we specifically require using "replication" as database name
to start a replication session. In 9.1 we will have the REPLICATION
attribute to a role - should we change it so that "all" in database
includes replication connections? It certainly goes in the "principle
of least surprise" path..

+1.  It'll eliminate an entire file to edit for replication setup, so
does a lot to make initial replication setup easier.

No, we should by secure by default. You usually want to lock down tightly
where replication connections can come from. You know the IP addresses of
your standby servers, so it shouldn't be hard to

If "all" includes replication connections, that makes it harder to configure
pg_hba.conf correctly so that you allow normal connections from anywhere,
but only allow replication connections from a specific IP address. You'd
need two lines, first one to accept replication connections from the
standby, and a second one to reject them from anywhere else.

Yeah, that's true.

But I wonder if we should add lines in the default pg_hba.conf to "trust"
replication connections from loopback, like we do for normal connections?

That wouldn't hurt. Or at least put a commented-out line with a
typical replication line.

I now it says so in the documentation that is the top comment, but
that's long enough that people don't read it, and then end up going
WTF when they realize it...

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

#6Robert Haas
Robert Haas
robertmhaas@gmail.com
In reply to: Heikki Linnakangas (#4)
Re: replication and pg_hba.conf

On Jan 17, 2011, at 1:44 AM, Heikki Linnakangas <heikki.linnakangas@enterprisedb.com> wrote:

But I wonder if we should add lines in the default pg_hba.conf to "trust" replication connections from loopback, like we do for normal connections?

Seems sorta pointless.

...Robert

← Back to Topics