| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Should database = all in pg_hba.conf match a replication connection? |
| Date: | 2010-04-20 23:06:20 |
| Message-ID: | 4989.1271804780@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I spent a fair amount of time just now being confused about why
pg_hba.conf restrictions on replication connections didn't seem to be
getting enforced. After looking at the code, I realize that my entry
with database = "replication" was indeed getting rejected as not
matching, but then the hba code was falling through and matching an
entry with database = "all". This is not the behavior I expected after
looking at the docs; the docs seem to imply that SR connections must
match an explicit replication entry in pg_hba.conf in order to succeed.
Should we change this? It seems to me to be a good thing on security
grounds if replication connections can't be made through a generic
pg_hba entry. If we don't change it, the docs need some adjustment.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2010-04-20 23:07:32 | Re: Vacuum cancels autovacuum error message confusing? |
| Previous Message | Alvaro Herrera | 2010-04-20 22:51:48 | Re: Vacuum cancels autovacuum error message confusing? |