Re: Improving pg_hba.conf

We have the following item on TODO:

* Overhaul pg_hba.conf host-based authentication

Can people tell me what they want changed. I know we need the pg_shadow
password field encrypted in the table and I will work on that now.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

On Tue, 12 Jun 2001, Bruce Momjian wrote:

It might be work while to add restrictions in the config file for user
level locking, I realize that it can be done now...but having it in the
pg_hba.conf file could make it easier...

> We have the following item on TODO:
>
> * Overhaul pg_hba.conf host-based authentication
>
> Can people tell me what they want changed. I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>

Chris Bowlby,
-----------------------------------------------------
Web Developer @ Hub.org.
excalibur(at)hub(dot)org
www.hub.org
1-902-542-3657
-----------------------------------------------------

I don't think that belongs in pg_hba.conf.

> On Tue, 12 Jun 2001, Bruce Momjian wrote:
>
> It might be work while to add restrictions in the config file for user
> level locking, I realize that it can be done now...but having it in the
> pg_hba.conf file could make it easier...
>
>
>
> > We have the following item on TODO:
> >
> > * Overhaul pg_hba.conf host-based authentication
> >
> > Can people tell me what they want changed. I know we need the pg_shadow
> > password field encrypted in the table and I will work on that now.
> >
> > --
> > Bruce Momjian | http://candle.pha.pa.us
> > pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> > + If your life is a hard drive, | 830 Blythe Avenue
> > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 4: Don't 'kill -9' the postmaster
> >
>
> Chris Bowlby,
> -----------------------------------------------------
> Web Developer @ Hub.org.
> excalibur(at)hub(dot)org
> www.hub.org
> 1-902-542-3657
> -----------------------------------------------------
>
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

Bruce Momjian wrote:
>
> We have the following item on TODO:
>
> * Overhaul pg_hba.conf host-based authentication
>
> Can people tell me what they want changed. I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.

Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?

> Bruce Momjian wrote:
> >
> > We have the following item on TODO:
> >
> > * Overhaul pg_hba.conf host-based authentication
> >
> > Can people tell me what they want changed. I know we need the pg_shadow
> > password field encrypted in the table and I will work on that now.
>
> Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> for free when you reinitialize and restore a database?

The file has to be read by the postmaster and the postmaster has no
access to data tables for speed and security reasons.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

Chris Bowlby writes:

> It might be work while to add restrictions in the config file for user
> level locking, I realize that it can be done now...but having it in the
> pg_hba.conf file could make it easier...

This would be mostly pointless since you can create locks with judicious
use of insert/update/delete. I don't suppose you want to let those
commands run without the appropriate locks.

--
Peter Eisentraut peter_e(at)gmx(dot)net http://funkturm.homeip.net/~peter

mlw writes:

> Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> for free when you reinitialize and restore a database?

Because if you hosed that table you would have hosed your entire
installation.

--
Peter Eisentraut peter_e(at)gmx(dot)net http://funkturm.homeip.net/~peter

Peter Eisentraut wrote:

> mlw writes:
>
> > Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> > for free when you reinitialize and restore a database?
>
> Because if you hosed that table you would have hosed your entire
> installation.
>

You could use a bki script to fix the problem in stand alone mode if need be. I
don't think breaking this table is really an issue. My only concerns would be the
chicken vs egg problem connecting to the system, and security. Assuming these issues
could be resolved, I think having this info in a table would be beneficial for
maintenance.

> We have the following item on TODO:
>
> * Overhaul pg_hba.conf host-based authentication
>
> Can people tell me what they want changed. I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.

I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done. I did cleanup the comments in the file. I have also
added a TODO item:

* Read pg_hba.conf only on postmaster startup or SIGHUP

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

>
>
>I haven't heard of any more issues with pg_hba.conf so I will mark the
>item as done. I did cleanup the comments in the file. I have also
>added a TODO item:
>
> * Read pg_hba.conf only on postmaster startup or SIGHUP
>

If you do this, can you add an access table for secondary lookups? I
tend to update host access frequently and personally I think it'd be
dandy to have a table that can be updated for access as well as the
primary pg_hba.conf file.

David

> >
> >
> >I haven't heard of any more issues with pg_hba.conf so I will mark the
> >item as done. I did cleanup the comments in the file. I have also
> >added a TODO item:
> >
> > * Read pg_hba.conf only on postmaster startup or SIGHUP
> >
>
> If you do this, can you add an access table for secondary lookups? I
> tend to update host access frequently and personally I think it'd be
> dandy to have a table that can be updated for access as well as the
> primary pg_hba.conf file.

Sorry, I don't understand what secondary lookups are.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

What I mean is, do host lookups first in the text file, then if a
pg_hostaccess table (example) exists, check it for host entries. This
alleviates HUP or restart etc. to reload a config file.

David

Bruce Momjian wrote:

>>>
>>>I haven't heard of any more issues with pg_hba.conf so I will mark the
>>>item as done. I did cleanup the comments in the file. I have also
>>>added a TODO item:
>>>
>>> * Read pg_hba.conf only on postmaster startup or SIGHUP
>>>
>>If you do this, can you add an access table for secondary lookups? I
>>tend to update host access frequently and personally I think it'd be
>>dandy to have a table that can be updated for access as well as the
>>primary pg_hba.conf file.
>>
>
>Sorry, I don't understand what secondary lookups are.
>

> What I mean is, do host lookups first in the text file, then if a
> pg_hostaccess table (example) exists, check it for host entries. This
> alleviates HUP or restart etc. to reload a config file.

Can't do that. Postmaster has no database access. Must be fast.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026