| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-hackers(at)postgreSQL(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Should database = all in pg_hba.conf match a replication connection? |
| Date: | 2010-04-20 23:49:24 |
| Message-ID: | 4927198544210548164@unknownmsgid |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Apr 20, 2010, at 7:06 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I spent a fair amount of time just now being confused about why
> pg_hba.conf restrictions on replication connections didn't seem to be
> getting enforced. After looking at the code, I realize that my entry
> with database = "replication" was indeed getting rejected as not
> matching, but then the hba code was falling through and matching an
> entry with database = "all". This is not the behavior I expected
> after
> looking at the docs; the docs seem to imply that SR connections must
> match an explicit replication entry in pg_hba.conf in order to
> succeed.
>
> Should we change this? It seems to me to be a good thing on security
> grounds if replication connections can't be made through a generic
> pg_hba entry.
+1.
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-04-20 23:53:36 | Re: [HACKERS] Streaming replication document improvements |
| Previous Message | Tom Lane | 2010-04-20 23:13:18 | Re: Thoughts on pg_hba.conf rejection |