Skip site navigation (1) Skip section navigation (2)

Re: Hostnames in pg_hba.conf

From: Mark Mielke <mark(at)mark(dot)mielke(dot)cc>
To: Bart Samwel <bart(at)samwel(dot)tk>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Hostnames in pg_hba.conf
Date: 2010-02-11 22:01:44
Message-ID: 4B747E48.8070202@mark.mielke.cc (view raw or flat)
Thread:
Lists: pgsql-hackers
On 02/11/2010 04:54 PM, Bart Samwel wrote:
> On Thu, Feb 11, 2010 at 16:36, Mark Mielke <mark(at)mark(dot)mielke(dot)cc 
> <mailto:mark(at)mark(dot)mielke(dot)cc>> wrote:
>
>>     ISSUE #3: Multiple hostnames?
>>
>>     Currently, a pg_hba entry lists an IP / netmask combination. I
>>     would suggest allowing lists of hostnames in the entries, so that
>>     you can at least mimic the "match multiple hosts by a single
>>     rule". Any reason not to do this?
>
>     I'm mixed. In some situations, I've wanted to put multiple
>     IP/netmask. I would say that if multiple names are supported, then
>     multiple IP/netmask should be supported. But, this does make the
>     lines unwieldy beyond two or three. This direction leans towards
>     the capability to define "host classes", where the rules allows
>     the host class, and the host class can have a list of hostnames.
>
>
> Yes, but before you know it people will ask for being able to specify 
> multiple host classes. :-) Quite simply put, with a single subnet you 
> can allow multiple hosts in. Allowing only a single hostname is a step 
> backward from that, so adding support for multiple hostnames could be 
> useful if somebody is replacing subnets with hostname-based configuration.

This implies two aspects which may not be true:

     1) All hosts that I want to allow belong to the same subnet.
     2) If I trust one host on the subnet, then I trust all hosts on the 
subnet.

While the above two points are often true, they are not universally true.

>
>     2) What will you do if they specify a hostname and a netmask? This
>     seems like a convenient way of saying "everybody on the same
>     subnet as NAME."
>
>
> Not supported. Either an IP address / netmask combo, or a hostname, 
> but not both. I wouldn't want to recommend hardcoding something such 
> as netmasks (which are definitely subnet dependent) in combination 
> with something as volatile as a host name -- move it to a different 
> subnet, and you might allow a whole bigger subnet than you intended. 
> If they want to specify a netmask, then they should just use hardcoded 
> IPs as well.

Ah yes, I recall this from a previous thread. I think I also disagreed 
on the other thread. :-)

I thought of a use for reverse lookup - it would allow wild card 
hostnames. Still, that's an advanced feature that might be for later... :-)

Cheers,
mark

-- 
Mark Mielke<mark(at)mielke(dot)cc>

In response to

Responses

pgsql-hackers by date

Next:From: Bart SamwelDate: 2010-02-11 22:02:56
Subject: Re: Hostnames in pg_hba.conf
Previous:From: Bart SamwelDate: 2010-02-11 21:54:42
Subject: Re: Hostnames in pg_hba.conf

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group