Re: Allow cluster owner to bypass authentication

On Thu, Aug 15, 2019 at 9:07 PM Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>
> This is an implementation of the idea I mentioned in [0].
>
> The naming and description perhaps isn't ideal yet but it works in
> principle.
>
> The idea is that if you connect over a Unix-domain socket and the local
> (effective) user is the same as the server's (effective) user, then
> access should be granted immediately without any checking of
> pg_hba.conf. Because it's "your own" server and you can do anything you
> want with it anyway.
>
> I included an option to turn this off because (a) people are going to
> complain, (b) you need this for the test suites to be able to test
> pg_hba.conf, and (c) conceivably, someone might want to have all access
> to go through pg_hba.conf for some auditing reasons (perhaps via PAM).
>
> This addresses the shortcomings of using peer as the default mechanism
> in initdb. In a subsequent step, my idea would be to make the default
> initdb authentication setup to use md5 (or scram, tbd.) for both local
> and host.
>

This has been hanging around for a while. I guess the reason it hasn't
got much attention is that on its own it's not terribly useful.
However, when you consider that it's a sensible prelude to setting a
more secure default for auth in initdb (I'd strongly advocate
SCRAM-SHA-256 for that) it takes on much more significance.

The patch on its own is very small and straightforward, The actual
code is smaller than the docco.

Let's do this so we can move to a better default auth.

cheers

andrew

--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services