Re: Indent authentication overloading

On Mon, Mar 14, 2011 at 14:43, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Mon, Mar 14, 2011 at 5:18 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> On Fri, Mar 11, 2011 at 15:36, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>>> On tor, 2011-03-10 at 22:45 +0100, Magnus Hagander wrote:
>>>> On Thu, Mar 10, 2011 at 22:22, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>>> >
>>>> > Added to TODO:
>>>> >
>>>> >        Rename unix domain socket 'ident' connections to 'peer', to avoid
>>>> >        confusion with TCP 'ident'
>>>>
>>>> Should we consider adding "peer" as an alias for "ident" already in
>>>> 9.1 (and change the default pg_hba.conf template), and then deprecate
>>>> ident for 9.2 and remove it in 9.3 or something? By adding the alias
>>>> now (yes, I know it's not in the last CF :P), we can move what's going
>>>> to be a long process up one release...
>>>
>>> Might as well, if you can get it done soon.  The documentation might
>>> need more extensive adjustments.
>>
>> The code itself is pretty easy and localized, AFAICT. Attached is a
>> patch taht implements "peer" for local connections, and automatically
>> maps "ident" on local sockets to that (with a log message saying it
>> did).
>>
>> If people want this to go in, I'll go over the documentation as well -
>> as you say, that might need some more changes, but we're not as
>> time-critical on that (meaning we can keep polishing it through beta).
>>
>> Also, I'd like to get around to making "initdb -A ident" automatically
>> put "peer" for local sockets as well, which is not included in this
>> patch but should be a very simple change.
>>
>> So. Thoughts?
>
> The log message is an absolute non-starter.  You're going to get that
> on every backend startup on Windows, I believe.

No, you're not. Because we don't do unix sockets on windows, for
obvious reasons.

You *would* get it on all RPM based installations, or DEB based
installations, on *unix*, unless the patch to initdb is done (which it
is now actually, just wasn't when I posted)

That said, it can easily be removed.

> Also, the text is not accurate: nothing has been automatically changed
> to anything.  The pg_hba.conf file is just as it was.  You could say
> something like "ident" authentication on local socket treated as
> "peer", but I think a better idea would be to just remove this message
> altogether.  I see zero reason to force someone who has a pg_hba.conf
> file that they have been using for years and are happy with to make
> trivial changes to it on our account, and I'd be perfectly happy to
> silently treat ident on a local socket as peer forever, while gently
> encouraging the use of the newer term in our documentation.

The idea being to let people know it's been deprecated, nothing else.
But sure, we can just remove the message - at elast for now, and maybe
add it $n releases down the road when people are expected to have
changed over.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/