| From: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Enabling replication connections by default in pg_hba.conf |
| Date: | 2017-02-02 13:32:19 |
| Message-ID: | CANP8+jLroScN4dgb4RfAEx1pXkjNhF5869cSQ5eP3PCutNXQ=Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 23 January 2017 at 04:29, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> wrote:
> Hi all,
>
> As now wal_level = replica has become the default for Postgres 10,
> could we consider as well making replication connections enabled by
> default in pg_hba.conf?
Agreed
> This requires just uncommenting a couple of
> lines in pg_hba.conf.sample.
I don't think that is the right way to do this. Changing the default
doesn't reduce the complexity.
I think we should remove the "replication" false database concept in
pg_hba.conf altogether and allow any valid pg_hba rule to invoke a
replication connection, if one is requested. Roles would still need
the REPLICATION capability before this would be allowed. Having both
of those things doesn't materially improve security control.
It would also be useful to be able prevent users with REPLICATION
capability from connecting as normal users, if the are marked as
NOLOGIN.
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | REIX, Tony | 2017-02-02 14:10:45 | Re: Deadlock in XLogInsert at AIX |
| Previous Message | Alvaro Herrera | 2017-02-02 13:30:56 | Re: Patch: Write Amplification Reduction Method (WARM) |