I spent a fair amount of time just now being confused about why
pg_hba.conf restrictions on replication connections didn't seem to be
getting enforced. After looking at the code, I realize that my entry
with database = "replication" was indeed getting rejected as not
matching, but then the hba code was falling through and matching an
entry with database = "all". This is not the behavior I expected after
looking at the docs; the docs seem to imply that SR connections must
match an explicit replication entry in pg_hba.conf in order to succeed.
Should we change this? It seems to me to be a good thing on security
grounds if replication connections can't be made through a generic
pg_hba entry. If we don't change it, the docs need some adjustment.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
