[Dbconfig-common-devel] Re: Best practice for allowing access to a postgres db

Sun Sep 25 20:57:19 UTC 2005

hey martin,

On Sun, Sep 25, 2005 at 06:16:37PM +0200, Martin Pitt wrote:
> Long time no see about this topic, time to revive it a bit :-)

funny coincidence, we were just talking about this again on
the dbconfig-common devel list (so i'll add them to the cc
as well)

> > what would make the most sense to me would be to spend some time
> > together developing the interface scripts, host them in postgresql-common,
> 
> Right, I'm going to develop them soon now. However, before doing so
> I'd like to agree to the interface so that it actually makes sense for
> you (I'm not overly familiar with web apps, I just use them on the
> same server than the DB, and I only use the default pg_hba.conf on
> them, which works for my purposes).
> 
> So far my initial spec would be like this:
> 
> ---- snip ----
>   pg_add_hba [options] yourwebappdb yourwebappuser
>   pg_remove_hba [options] yourwebappdb yourwebappuser

it would also be nice to have a 'pg_query_hba' or something of the like,
that could be used to determine whether or not pg_add_hba would
need to be called at all.  that way, a user installing an app
could have something happen like "it appears as though your postgres
server needs to have its conf changed, shall we?"

i think such an app would have the same cmdline options as pg_add_hba and
pg_remove_hba, plus an "--add" or "--remove".  it would then exit
nonzero if something needed to be added ( in the case of --add) or
removed (in the case of --remove).

>   --cluster: self-explanatory, defaults to default cluster
>   --ip: IP and netmask for host socket; if not given, defaults to Unix
>     socket (local)
>   --method: defaults to "md5" for TCP connections, and "ident" for
>     Unix socket connections
>   --force-ssl: If given, create a "hostssl" entry, otherwise a "host"
>     entry

maybe --options too?  the only option i can think of off the top of
my head is "sameuser" for ident.

> I'd appreciate any comments about this. Please also just tell me how
> an interface should look like from *your* perspective, since you
> should not adapt your problems to my solution. :)

i think this sounds great.  let me know when you have an initial version
to try, and i'll put in support for it in dbconfig-common.

	sean

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20050925/3cdf6559/attachment.pgp