Re: [HACKERS] Hostnames in pg_hba.conf

Thu, 11 Feb 2010 14:02:33 -0800 

On 02/11/2010 04:54 PM, Bart Samwel wrote:
On Thu, Feb 11, 2010 at 16:36, Mark Mielke <m...@mark.mielke.cc <mailto:m...@mark.mielke.cc>> wrote: 


    ISSUE #3: Multiple hostnames?

    Currently, a pg_hba entry lists an IP / netmask combination. I
    would suggest allowing lists of hostnames in the entries, so that
    you can at least mimic the "match multiple hosts by a single
    rule". Any reason not to do this?


    I'm mixed. In some situations, I've wanted to put multiple
    IP/netmask. I would say that if multiple names are supported, then
    multiple IP/netmask should be supported. But, this does make the
    lines unwieldy beyond two or three. This direction leans towards
    the capability to define "host classes", where the rules allows
    the host class, and the host class can have a list of hostnames.



Yes, but before you know it people will ask for being able to specify 
multiple host classes. :-) Quite simply put, with a single subnet you 
can allow multiple hosts in. Allowing only a single hostname is a step 
backward from that, so adding support for multiple hostnames could be 
useful if somebody is replacing subnets with hostname-based configuration.


This implies two aspects which may not be true:

    1) All hosts that I want to allow belong to the same subnet.

    2) If I trust one host on the subnet, then I trust all hosts on the 
subnet.


While the above two points are often true, they are not universally true.



    2) What will you do if they specify a hostname and a netmask? This
    seems like a convenient way of saying "everybody on the same
    subnet as NAME."



Not supported. Either an IP address / netmask combo, or a hostname, 
but not both. I wouldn't want to recommend hardcoding something such 
as netmasks (which are definitely subnet dependent) in combination 
with something as volatile as a host name -- move it to a different 
subnet, and you might allow a whole bigger subnet than you intended. 
If they want to specify a netmask, then they should just use hardcoded 
IPs as well.



Ah yes, I recall this from a previous thread. I think I also disagreed 
on the other thread. :-)



I thought of a use for reverse lookup - it would allow wild card 
hostnames. Still, that's an advanced feature that might be for later... :-)


Cheers,
mark

--
Mark Mielke<m...@mielke.cc>























					Reply via email to