| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: pg_ctl |
| Date: | 1999-11-27 04:59:27 |
| Message-ID: | 17424.943678767@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> writes:
>> Security issues may be a factor here. Do you want just anyone anywhere
>> on the net to be able to extract the postmaster status? If not, how
>> shall we restrict it?
> I think a resonable restriction would be let anyone on the same
> machine that postmaster is running could issue the protocol.
Grumble. That's both too restrictive and not restrictive enough.
In an intranet-LAN kind of situation, you'd like to be able to check
the Postgres status without having to log into the specific machine
that's running the postmaster; while if the postmaster is running on
a large multiuser system, the very last thing that you want to do is
grant access to everyone else on the system.
> Another idea might be using our host based authentication. What about
> having a "virtual database" used only for the status request protocol?
That could be workable. But I think I may have a better idea.
This morning after I sent my previous comments, I was thinking that the
really right way to do it would be to make the status info be a "virtual
table": you log into Postgres in the normal way, and issue a query
against some special table name, and if you've got the required access
rights then you get an answer. The postgres superuser would always get
an answer, of course, and could grant/deny permissions to other users.
See, the advantage of doing it that way is that we build on top of the
existing Postgres access control and permission mechanisms, instead of
inventing a new set of mechanisms on the spur of the moment. Compare
the Linux "/proc filesystem" for accessing system and process status
information --- /proc isn't a normal filesystem in any sense of the
word, but by making it look like one, the Linux folk managed to reuse
a lot of existing, well-tested lookup and permission-check mechanisms.
Offhand I don't see any reason to think that making system status look
like one or more virtual tables would be much harder to implement than
making it available via special-purpose postmaster protocols. It seems
worth looking into, anyway.
If it doesn't work, then your idea is definitely the next thing to try:
recycle the pg_hba mechanisms to control access to a postmaster status
protocol.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 1999-11-27 06:35:28 | Re: [HACKERS] Re: pg_ctl |
| Previous Message | Lamar Owen | 1999-11-27 02:31:30 | Re: [HACKERS] Re: pg_ctl |