[Dbconfig-common-devel] Re: Best practice for allowing access to a
postgres db
Martin Pitt
mpitt at debian.org
Mon Sep 26 05:46:45 UTC 2005
hi Sean!
sean finney [2005-09-25 16:57 -0400]:
> > pg_add_hba [options] yourwebappdb yourwebappuser
> > pg_remove_hba [options] yourwebappdb yourwebappuser
>
> it would also be nice to have a 'pg_query_hba' or something of the like,
> that could be used to determine whether or not pg_add_hba would
> need to be called at all. that way, a user installing an app
> could have something happen like "it appears as though your postgres
> server needs to have its conf changed, shall we?"
>
> i think such an app would have the same cmdline options as pg_add_hba and
> pg_remove_hba, plus an "--add" or "--remove". it would then exit
> nonzero if something needed to be added ( in the case of --add) or
> removed (in the case of --remove).
Right, good idea. So what about
pg_test_hba [options] yourwebappdb yourwebappuser
--cluster would keep its meaning, --ip should be a concrete IP (like,
127.0.0.1) which means, access is tested from that IP). Other options
should not be allowed. Then pg_test_hba would exit with 1 if there is
no matching rule, and with 0 if there is. In the success case, it
would print out the access method ("ident sameuser" or "md5"). It
might also be interesting whether SSL must be used or not. Maybe this
should be printed in a second line, what do you think?
> > --cluster: self-explanatory, defaults to default cluster
> > --ip: IP and netmask for host socket; if not given, defaults to Unix
> > socket (local)
> > --method: defaults to "md5" for TCP connections, and "ident" for
> > Unix socket connections
> > --force-ssl: If given, create a "hostssl" entry, otherwise a "host"
> > entry
>
> maybe --options too? the only option i can think of off the top of
> my head is "sameuser" for ident.
You can also specify an ident map (which few people will actually do
in practice, I guess), or a PAM service name (this does not work out
of the box, though, since postgres is not in group shadow). So should
dbconfig-common really become that complex? My gut feeling is that
"ident sameuser" is the only sensible authentication method when using
the Unix socket, at least when it comes to configuring that stuff
automatically. Let me make the spec more precise:
--method: defaults to "md5" for TCP connections, and "ident
sameuser" for Unix socket connections
Please let me know whether you really need more complexity. We can
always add more options later, but implementing them just for the sake
of completeness is a waste, IMHO.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20050926/857c7e43/attachment.pgp
More information about the Dbconfig-common-devel
mailing list