Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up each
> name (at least until we found a match) for each connection. If you had
> lots of names in your pg_hba.conf that could be quite a hit.
A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client. This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).
I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view. But something to consider.
regards, tom lane
In response to
pgsql-hackers by date
|Next:||From: Larry Rosenman||Date: 2006-01-03 18:08:46|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf? |
|Previous:||From: Tom Lane||Date: 2006-01-03 17:37:32|
|Subject: Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and |