Improving pg_hba.conf
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 12 Jun 2001, Bruce Momjian wrote:
It might be work while to add restrictions in the config file for user
level locking, I realize that it can be done now...but having it in the
pg_hba.conf file could make it easier...
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
Chris Bowlby,
-----------------------------------------------------
Web Developer @ Hub.org.
excalibur@hub.org
www.hub.org
1-902-542-3657
-----------------------------------------------------
I don't think that belongs in pg_hba.conf.
On Tue, 12 Jun 2001, Bruce Momjian wrote:
It might be work while to add restrictions in the config file for user
level locking, I realize that it can be done now...but having it in the
pg_hba.conf file could make it easier...We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmasterChris Bowlby,
-----------------------------------------------------
Web Developer @ Hub.org.
excalibur@hub.org
www.hub.org
1-902-542-3657
-----------------------------------------------------
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bruce Momjian wrote:
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.
Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?
Bruce Momjian wrote:
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?
The file has to be read by the postmaster and the postmaster has no
access to data tables for speed and security reasons.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Chris Bowlby writes:
It might be work while to add restrictions in the config file for user
level locking, I realize that it can be done now...but having it in the
pg_hba.conf file could make it easier...
This would be mostly pointless since you can create locks with judicious
use of insert/update/delete. I don't suppose you want to let those
commands run without the appropriate locks.
--
Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
mlw writes:
Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?
Because if you hosed that table you would have hosed your entire
installation.
--
Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Peter Eisentraut wrote:
mlw writes:
Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?Because if you hosed that table you would have hosed your entire
installation.
You could use a bki script to fix the problem in stand alone mode if need be. I
don't think breaking this table is really an issue. My only concerns would be the
chicken vs egg problem connecting to the system, and security. Assuming these issues
could be resolved, I think having this info in a table would be beneficial for
maintenance.
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication
Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.
I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done. I did cleanup the comments in the file. I have also
added a TODO item:
* Read pg_hba.conf only on postmaster startup or SIGHUP
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done. I did cleanup the comments in the file. I have also
added a TODO item:* Read pg_hba.conf only on postmaster startup or SIGHUP
If you do this, can you add an access table for secondary lookups? I
tend to update host access frequently and personally I think it'd be
dandy to have a table that can be updated for access as well as the
primary pg_hba.conf file.
David
I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done. I did cleanup the comments in the file. I have also
added a TODO item:* Read pg_hba.conf only on postmaster startup or SIGHUP
If you do this, can you add an access table for secondary lookups? I
tend to update host access frequently and personally I think it'd be
dandy to have a table that can be updated for access as well as the
primary pg_hba.conf file.
Sorry, I don't understand what secondary lookups are.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026What I mean is, do host lookups first in the text file, then if a
pg_hostaccess table (example) exists, check it for host entries. This
alleviates HUP or restart etc. to reload a config file.
David
Bruce Momjian wrote:
Show quoted text
I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done. I did cleanup the comments in the file. I have also
added a TODO item:* Read pg_hba.conf only on postmaster startup or SIGHUP
If you do this, can you add an access table for secondary lookups? I
tend to update host access frequently and personally I think it'd be
dandy to have a table that can be updated for access as well as the
primary pg_hba.conf file.Sorry, I don't understand what secondary lookups are.
What I mean is, do host lookups first in the text file, then if a
pg_hostaccess table (example) exists, check it for host entries. This
alleviates HUP or restart etc. to reload a config file.
Can't do that. Postmaster has no database access. Must be fast.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026