hi Sean! sean finney [2005-09-25 16:57 -0400]: > > pg_add_hba [options] yourwebappdb yourwebappuser > > pg_remove_hba [options] yourwebappdb yourwebappuser > > it would also be nice to have a 'pg_query_hba' or something of the like, > that could be used to determine whether or not pg_add_hba would > need to be called at all. that way, a user installing an app > could have something happen like "it appears as though your postgres > server needs to have its conf changed, shall we?" > > i think such an app would have the same cmdline options as pg_add_hba and > pg_remove_hba, plus an "--add" or "--remove". it would then exit > nonzero if something needed to be added ( in the case of --add) or > removed (in the case of --remove). Right, good idea. So what about pg_test_hba [options] yourwebappdb yourwebappuser --cluster would keep its meaning, --ip should be a concrete IP (like, 127.0.0.1) which means, access is tested from that IP). Other options should not be allowed. Then pg_test_hba would exit with 1 if there is no matching rule, and with 0 if there is. In the success case, it would print out the access method ("ident sameuser" or "md5"). It might also be interesting whether SSL must be used or not. Maybe this should be printed in a second line, what do you think? > > --cluster: self-explanatory, defaults to default cluster > > --ip: IP and netmask for host socket; if not given, defaults to Unix > > socket (local) > > --method: defaults to "md5" for TCP connections, and "ident" for > > Unix socket connections > > --force-ssl: If given, create a "hostssl" entry, otherwise a "host" > > entry > > maybe --options too? the only option i can think of off the top of > my head is "sameuser" for ident. You can also specify an ident map (which few people will actually do in practice, I guess), or a PAM service name (this does not work out of the box, though, since postgres is not in group shadow). So should dbconfig-common really become that complex? My gut feeling is that "ident sameuser" is the only sensible authentication method when using the Unix socket, at least when it comes to configuring that stuff automatically. Let me make the spec more precise: --method: defaults to "md5" for TCP connections, and "ident sameuser" for Unix socket connections Please let me know whether you really need more complexity. We can always add more options later, but implementing them just for the sake of completeness is a waste, IMHO. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature