On Thursday, March 2, 2017, Peter Eisentraut < peter.eisentr...@2ndquadrant.com> wrote:
> On 2/3/17 17:47, Michael Paquier wrote: > > On Fri, Feb 3, 2017 at 4:59 AM, Simon Riggs <si...@2ndquadrant.com > <javascript:;>> wrote: > >>> It's weirdly inconsistent now. You need a "replication" line in > >>> pg_hba.conf to connect for logical decoding, but you can't restrict > that > >>> to a specific database because the database column in pg_hba.conf is > >>> occupied by the "replication" key word. > >> Agreed. Change needed. > > That sounds really apealling indeed after thinking about its > > implications. So we would simply authorize a WAL sender sending > > "replication" to connect if the user name matches. That's in short > > check_db() in hba.c. > > In > <https://www.postgresql.org/message-id/7a33990f-75b1-5a4f- > e7c0-223e15b84...@2ndquadrant.com> > patch 0006 it is proposed to no longer use the "replication" keyword in > pg_hba.conf for logical > replication and use the normal database entries instead. > > However, I don't think we can reasonably get rid of the replication > keyword for physical replication. Say if you have a pg_hba.conf like > > host db1 someusers ... > host db2 someusers ... > host db3 someusers ... > > how would you decide access for physical replication? Since physical > replication is not to a database, you need a way to call it out > separately if your pg_hba.conf style is to enumerate databases. > That's the reason we created the "replication" keyword in the first place, isn't it? I think it makes sense to keep that, but it also makes sense to not use it for logical. What we could do to make things simpler is to include "replication" in > the "all" keyword. > The downside of that is that if somebody isn't reading the release notes carefully, or just applying some templates from their puppet or chef or whatnot, they may end up opening their database up for replication for users and IP addresses they did not intend to. (For users it's probably not an issue thanks to the replication privilege at the user level, but for IP addresses it definitely does) //Magnus -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/