Re: Hostnames in pg_hba.conf

On Thu, Feb 11, 2010 at 16:36, Mark Mielke <mark(at)mark(dot)mielke(dot)cc> wrote:

> On 02/11/2010 08:13 AM, Bart Samwel wrote:
>
ISSUE #2: Reverse lookup?
>
> There was a suggestion on the TODO list on the wiki, which basically said
> that maybe we could use reverse lookup to find "the" hostname and then check
> for that hostname in the list. I think that won't work, since IPs can go by
> many names and may not support reverse lookup for some hostnames (/etc/hosts
> anybody?). Furthermore, due to the top-to-bottom processing of pg_hba.conf,
> you CANNOT SKIP entries that might possibly match. For instance, if the
> third line is for host "foo.example.com" and the fifth line is for "
> bar.example.com", both lines may apply to the same IP, and you still HAVE
> to check the first one, even if reverse lookup turns up the second host
> name. So it doesn't save you any lookups, it just costs an extra one.
>
>
> I don't see a need to do a reverse lookup. Reverse lookups are sometimes
> done as a verification check, in the sense that it's cheap to get a map from
> NAME -> IP, but sometimes it is much harder to get the reverse map from IP
> -> NAME. However, it's not a reliable check as many legitimate users have
> trouble getting a reverse map from IP -> NAME. It also doesn't same anything
> as IP -> NAME lookups are a completely different set of name servers, and
> these name servers are not always optimized for speed as IP -> NAME lookups
> are less common than NAME -> IP. Finally, if one finds a map from IP ->
> NAME, that doesn't prove that a map from NAME -> IP exists, so using *any*
> results from IP -> NAME is questionable.
>
> I think reverse lookups are unnecessary and undesirable.
>
>
> ISSUE #3: Multiple hostnames?
>
> Currently, a pg_hba entry lists an IP / netmask combination. I would
> suggest allowing lists of hostnames in the entries, so that you can at least
> mimic the "match multiple hosts by a single rule". Any reason not to do
> this?
>
>
> I'm mixed. In some situations, I've wanted to put multiple IP/netmask. I
> would say that if multiple names are supported, then multiple IP/netmask
> should be supported. But, this does make the lines unwieldy beyond two or
> three. This direction leans towards the capability to define "host classes",
> where the rules allows the host class, and the host class can have a list of
> hostnames.
>

Yes, but before you know it people will ask for being able to specify
multiple host classes. :-) Quite simply put, with a single subnet you can
allow multiple hosts in. Allowing only a single hostname is a step backward
from that, so adding support for multiple hostnames could be useful if
somebody is replacing subnets with hostname-based configuration.

Two other aspects I don't see mentioned:
>
> 1) What will you do for hostnames that have multiple IP addresses? Will you
> accept all IP addresses as being valid?
>

Yes, all addresses returned by (pg_)getaddrinfo will be considered valid.
Most importantly, this ensures that if a host has an IPv4 and an IPv6
address they are both accepted. Plus, if there are multiple addresses, we
have no clue of figuring out which address is "the" address. :-)

> 2) What will you do if they specify a hostname and a netmask? This seems
> like a convenient way of saying "everybody on the same subnet as NAME."
>

Not supported. Either an IP address / netmask combo, or a hostname, but not
both. I wouldn't want to recommend hardcoding something such as netmasks
(which are definitely subnet dependent) in combination with something as
volatile as a host name -- move it to a different subnet, and you might
allow a whole bigger subnet than you intended. If they want to specify a
netmask, then they should just use hardcoded IPs as well.

Cheers,
Bart