[Dbconfig-common-devel] Re: Best practice for allowing access to a
postgres db
Martin Pitt
mpitt at debian.org
Tue Sep 27 05:44:13 UTC 2005
Hi!
sean finney [2005-09-26 3:41 -0400]:
> On Mon, Sep 26, 2005 at 07:46:45AM +0200, Martin Pitt wrote:
> > --cluster would keep its meaning, --ip should be a concrete IP (like,
> > 127.0.0.1) which means, access is tested from that IP). Other options
> > should not be allowed. Then pg_test_hba would exit with 1 if there is
>
> i think it would be helpful if the other options were also allowed.
> for example, if method is md5, we would need to know this so that
> a line with ident sameuser didn't cause a false positive.
Not sure what you mean here. It does not make sense to specify more
than one line for a given type/user/database triple, since only the
first matching line is used. Therefore the method should be an output
rather than an input.
> > no matching rule, and with 0 if there is. In the success case, it
> > would print out the access method ("ident sameuser" or "md5"). It
> > might also be interesting whether SSL must be used or not. Maybe this
> > should be printed in a second line, what do you think?
>
> i think, ideally, this command shouldn't output anything if nothing
> needs to change, and if something needs to change it should only output
> what should be entered into pg_hba.conf.
This indeed makes sense, good idea. I will do that.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20050927/ba836192/attachment.pgp
More information about the Dbconfig-common-devel
mailing list