[Dbconfig-common-devel] Re: Best practice for allowing access to a
postgres db
sean finney
seanius at debian.org
Sun Sep 25 20:57:19 UTC 2005
hey martin,
On Sun, Sep 25, 2005 at 06:16:37PM +0200, Martin Pitt wrote:
> Long time no see about this topic, time to revive it a bit :-)
funny coincidence, we were just talking about this again on
the dbconfig-common devel list (so i'll add them to the cc
as well)
> > what would make the most sense to me would be to spend some time
> > together developing the interface scripts, host them in postgresql-common,
>
> Right, I'm going to develop them soon now. However, before doing so
> I'd like to agree to the interface so that it actually makes sense for
> you (I'm not overly familiar with web apps, I just use them on the
> same server than the DB, and I only use the default pg_hba.conf on
> them, which works for my purposes).
>
> So far my initial spec would be like this:
>
> ---- snip ----
> pg_add_hba [options] yourwebappdb yourwebappuser
> pg_remove_hba [options] yourwebappdb yourwebappuser
it would also be nice to have a 'pg_query_hba' or something of the like,
that could be used to determine whether or not pg_add_hba would
need to be called at all. that way, a user installing an app
could have something happen like "it appears as though your postgres
server needs to have its conf changed, shall we?"
i think such an app would have the same cmdline options as pg_add_hba and
pg_remove_hba, plus an "--add" or "--remove". it would then exit
nonzero if something needed to be added ( in the case of --add) or
removed (in the case of --remove).
> --cluster: self-explanatory, defaults to default cluster
> --ip: IP and netmask for host socket; if not given, defaults to Unix
> socket (local)
> --method: defaults to "md5" for TCP connections, and "ident" for
> Unix socket connections
> --force-ssl: If given, create a "hostssl" entry, otherwise a "host"
> entry
maybe --options too? the only option i can think of off the top of
my head is "sameuser" for ident.
> I'd appreciate any comments about this. Please also just tell me how
> an interface should look like from *your* perspective, since you
> should not adapt your problems to my solution. :)
i think this sounds great. let me know when you have an initial version
to try, and i'll put in support for it in dbconfig-common.
sean
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20050925/3cdf6559/attachment.pgp
More information about the Dbconfig-common-devel
mailing list