On 2/14/14, 8:36 AM, Stephen Frost wrote:
* Bruce Momjian (br...@momjian.us) wrote:
In an ideal world we would have a tool where you could plug in a
username, database, IP address, and test pg_hba.conf file and it would
report what line is matched.
That's not a bad idea, but we don't expose
On 2/14/14, 1:06 PM, Jeff Janes wrote:
On Fri, Feb 14, 2014 at 6:33 AM, Bruce Momjian br...@momjian.us
mailto:br...@momjian.us wrote:
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Bruce,
Having @include and directory.d-style capabilities for pg_hba.conf *and*
On 2/14/14, 10:14 AM, Andres Freund wrote:
I was asking for use-cases so we could figure out what's the right thing;-)
The argument about wanting to assemble a pg_hba file from separately
managed configuration pieces seems to have some merit, but the weak
spot there is how do you define the
* Jim Nasby (j...@nasby.net) wrote:
On 2/14/14, 8:36 AM, Stephen Frost wrote:
* Bruce Momjian (br...@momjian.us) wrote:
In an ideal world we would have a tool where you could plug in a
username, database, IP address, and test pg_hba.conf file and it would
report what line is matched.
* Jim Nasby (j...@nasby.net) wrote:
Would the inclusion of the entire directory be done via a single #include (or
whatever syntax) directive in pg_hba.conf?
Not sure we've even figured that out yet, but probably.
I think that's probably OK. But if we're talking about something like hey,
if
On Sunday, February 16, 2014, Jim Nasby j...@nasby.net wrote:
On 2/14/14, 1:06 PM, Jeff Janes wrote:
On Fri, Feb 14, 2014 at 6:33 AM, Bruce Momjian br...@momjian.us mailto:
br...@momjian.us wrote:
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Bruce,
On Fri, Feb 14, 2014 at 11:10:48AM -0500, Tom Lane wrote:
The argument about wanting to assemble a pg_hba file from separately
managed configuration pieces seems to have some merit, but the weak
spot there is how do you define the search order? Or are you planning
to just cross your fingers
Bruce,
* Bruce Momjian (br...@momjian.us) wrote:
On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But there is currently no support for being able to pull in entire file
Jerry Sievers wrote:
The other thing that comes to mind, is that as opposed to
postgresql.conf and the include scenario there... one can do show all or
query from pg_stat_activity just to see what setting they ended up
with.
I'm not aware of any way to probe what hba rules are loaded at
On Thu, Feb 13, 2014 at 11:28:45PM -0600, Jerry Sievers wrote:
One issue with this is that pg_hba.conf is order sensitive, which could
become a trap for the unwary if includes are used carelessly.
Indeed.
The other thing that comes to mind, is that as opposed to
postgresql.conf and the
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Bruce,
* Bruce Momjian (br...@momjian.us) wrote:
On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But
* Bruce Momjian (br...@momjian.us) wrote:
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger environments much better.
There has been some talk about providing those
On Fri, Feb 14, 2014 at 3:32 PM, Bruce Momjian br...@momjian.us wrote:
On Thu, Feb 13, 2014 at 11:28:45PM -0600, Jerry Sievers wrote:
One issue with this is that pg_hba.conf is order sensitive, which could
become a trap for the unwary if includes are used carelessly.
Indeed.
The
* Bruce Momjian (br...@momjian.us) wrote:
In an ideal world we would have a tool where you could plug in a
username, database, IP address, and test pg_hba.conf file and it would
report what line is matched.
That's not a bad idea, but we don't expose the logic that figures that
out today.. It
On Fri, Feb 14, 2014 at 09:34:59AM -0500, Stephen Frost wrote:
* Bruce Momjian (br...@momjian.us) wrote:
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger
On Fri, Feb 14, 2014 at 12:36 PM, Stephen Frost sfr...@snowman.net wrote:
* Bruce Momjian (br...@momjian.us) wrote:
In an ideal world we would have a tool where you could plug in a
username, database, IP address, and test pg_hba.conf file and it would
report what line is matched.
That's
Stephen Frost sfr...@snowman.net writes:
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger environments much better.
I'm a little suspicious of this, mainly because pg_hba searching is
necessarily linear (and none too cheap
On 2014-02-14 10:19:30 -0500, Tom Lane wrote:
Stephen Frost sfr...@snowman.net writes:
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger environments much better.
I'm a little suspicious of this, mainly because pg_hba
* Tom Lane (t...@sss.pgh.pa.us) wrote:
Stephen Frost sfr...@snowman.net writes:
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger environments much better.
I'm a little suspicious of this, mainly because pg_hba searching is
On 2014-02-14 11:03:19 -0500, Stephen Frost wrote:
Also, all of the above ignores the pg_ident side of the house, which is
even worse as you need an entry for every user, period, if you're using
client-side SSL certificates or Kerberos/GSSAPI-based authentication
with full princ names.
Well,
* Andres Freund (and...@2ndquadrant.com) wrote:
On 2014-02-14 11:03:19 -0500, Stephen Frost wrote:
Also, all of the above ignores the pg_ident side of the house, which is
even worse as you need an entry for every user, period, if you're using
client-side SSL certificates or
Stephen Frost sfr...@snowman.net writes:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
In short: I suspect this approach may be fixing the wrong thing.
I'm curious what you're thinking would be the right thing to fix here?
I was asking for use-cases so we could figure out what's the right thing ;-)
On 2014-02-14 11:10:48 -0500, Tom Lane wrote:
Stephen Frost sfr...@snowman.net writes:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
In short: I suspect this approach may be fixing the wrong thing.
I'm curious what you're thinking would be the right thing to fix here?
I was asking for
* Andres Freund (and...@2ndquadrant.com) wrote:
On 2014-02-14 11:10:48 -0500, Tom Lane wrote:
Stephen Frost sfr...@snowman.net writes:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
In short: I suspect this approach may be fixing the wrong thing.
I'm curious what you're thinking would be
Tom Lane t...@sss.pgh.pa.us writes:
Stephen Frost sfr...@snowman.net writes:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
In short: I suspect this approach may be fixing the wrong thing.
I'm curious what you're thinking would be the right thing to fix here?
I was asking for use-cases so we
On Fri, Feb 14, 2014 at 6:33 AM, Bruce Momjian br...@momjian.us wrote:
On Fri, Feb 14, 2014 at 03:28:23AM -0500, Stephen Frost wrote:
Bruce,
Having @include and directory.d-style capabilities for pg_hba.conf *and*
pg_ident.conf would make managing larger environments much better.
There
Greetings Hackers.
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But there is currently no support for being able to pull in entire file
segments as can be done for postgresql.conf via the include directive.
In the environment that I'm
On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
Greetings Hackers.
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But there is currently no support for being able to pull in entire file
segments as can be done for
Bruce Momjian wrote:
On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
Greetings Hackers.
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But there is currently no support for being able to pull in entire file
segments
Alvaro Herrera alvhe...@2ndquadrant.com writes:
Bruce Momjian wrote:
On Thu, Feb 13, 2014 at 08:24:27PM -0600, Jerry Sievers wrote:
Greetings Hackers.
I'm aware of how a pg_hba.conf file can refer to other files for
including @lists of users, etc.
But there is currently no
30 matches
Mail list logo
