"repliation" as database name
Hello.
We can create a database named "replication".
$ createdb replication
A pg_hba.conf entry with DATABASE="all" is described as 'does not
match "replication"' in the comment there, but actually it
matches and we can connect to the database
"replication". (Documentation doesn't mention the restriction)
$ psql replication -At -c 'select current_database()'
replication
We can specify the name replication by quoting and it does not
match a replication connection. It is not documented at all.
pg_hba.conf
local "replication" all trust
#local replication all trust ## commented out
FATAL: could not connect to the primary server: FATAL: no pg_hba.conf entry for replication connection from host "[local]", user "horiguti", SSL off
$ psql replication -At -c 'select current_database()'
replication
The same can be said to sameuser, samerole and even all. I think
this is absolutely sane behavior and worth documentation in any
extent if it doesn't become complex.
I think that at least the following amendments would be needed.
- Remove ""all" does not match "replication"". Instead "The "all"
keyword does not match replication connections."
- double-quoted database name is taken literally.
Is it worth doing?
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
At Tue, 18 Dec 2018 18:48:25 +0900 (Tokyo Standard Time), Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> wrote in <20181218.184825.02619975.horiguchi.kyotaro@lab.ntt.co.jp>
- Remove ""all" does not match "replication"". Instead "The "all"
keyword does not match replication connections."
- double-quoted database name is taken literally.
I found that in the documentation thanks to a notification
off-list. And after some reconfirmation, what I want to fix is
only a few lines of comment in pg_hba.conf.sample.
-# database name, or a comma-separated list thereof. The "all"
-# keyword does not match "replication". Access to replication
-# must be enabled in a separate record (see example below).
+# database name, or a comma-separated list thereof. The "all" keyword
+# matches all databases. The "replication" keyword matches a physical
+# replication connection request and it must be enabled in a separate
+# record (see example below)regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
Attachments:
0001-Clarify-the-comments-about-all-and-replication-in-pg.patchtext/x-patch; charset=us-asciiDownload
From b270a38b3edc90a3f56cb07ea6fdd5a20140fd46 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horiguchi.kyotaro@lab.ntt.co.jp>
Date: Fri, 21 Dec 2018 15:48:25 +0900
Subject: [PATCH] Clarify the comments about "all" and "replication" in
pg_hba.conf.sample
In the explanetory comments in the pg_hba.conf.sample file looks a bit
misleading. Clarify the meaning of "all" and "replication" keywords by
make database name distinctive from keywords.
---
src/backend/libpq/pg_hba.conf.sample | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index c853e36232..7c9c225afe 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -22,9 +22,10 @@
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
-# database name, or a comma-separated list thereof. The "all"
-# keyword does not match "replication". Access to replication
-# must be enabled in a separate record (see example below).
+# database name, or a comma-separated list thereof. The "all" keyword
+# matches all databases. The "replication" keyword matches a physical
+# replication connection request and it must be enabled in a separate
+# record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
--
2.16.3
Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> writes:
I found that in the documentation thanks to a notification
off-list. And after some reconfirmation, what I want to fix is
only a few lines of comment in pg_hba.conf.sample.
-# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). +# database name, or a comma-separated list thereof. The "all" keyword +# matches all databases. The "replication" keyword matches a physical +# replication connection request and it must be enabled in a separate +# record (see example below)
Hm, I agree that the para doesn't read very well now, but I think this
could be improved further. How about something like
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "replication"
# keyword matches replication connection requests (see example below).
# The "all" keyword matches all database names, but not replication
# connections.
regards, tom lane
At Wed, 26 Dec 2018 12:59:32 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in <32289.1545847172@sss.pgh.pa.us>
Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> writes:
I found that in the documentation thanks to a notification
off-list. And after some reconfirmation, what I want to fix is
only a few lines of comment in pg_hba.conf.sample.-# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). +# database name, or a comma-separated list thereof. The "all" keyword +# matches all databases. The "replication" keyword matches a physical +# replication connection request and it must be enabled in a separate +# record (see example below)Hm, I agree that the para doesn't read very well now, but I think this
could be improved further. How about something like# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "replication"
# keyword matches replication connection requests (see example below).
# The "all" keyword matches all database names, but not replication
# connections.
I'm afraid that just dropping "it must be enabled in a separate
record" leads to confusion. How about adding a comment to
replication connection examples.
# Allow replication connections from localhost, by a user with the
# replication privilege. Each definition must have its own record.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
At Mon, 28 Jan 2019 17:30:57 +0900 (Tokyo Standard Time), Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> wrote in <20190128.173057.41178374.horiguchi.kyotaro@lab.ntt.co.jp>
At Wed, 26 Dec 2018 12:59:32 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in <32289.1545847172@sss.pgh.pa.us>
Hm, I agree that the para doesn't read very well now, but I think this
could be improved further. How about something like# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "replication"
# keyword matches replication connection requests (see example below).
# The "all" keyword matches all database names, but not replication
# connections.I'm afraid that just dropping "it must be enabled in a separate
record" leads to confusion. How about adding a comment to
replication connection examples.# Allow replication connections from localhost, by a user with the
# replication privilege. Each definition must have its own record.
Mmm, this doesn't seem to saying what I wanted to say there.
This seems better.
# Allow replication connections from localhost, by a user with
# the replication privilege. They must have separate records from
# non-replication connections.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center