Re: Indent authentication overloading

On Wed, Nov 17, 2010 at 17:31, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> On ons, 2010-11-17 at 16:35 +0100, Magnus Hagander wrote:
>> Currently, we overload "indent" meaning both "unix socket
>> authentication" and "ident over tcp", depending on what type of
>> connection it is. This is quite unfortunate - one of them being one of
>> the most secure options we have, the other one being one of the most
>> *insecure* ones (really? ident over tcp? does *anybody* use that
>> intentionally today?)
>>
>> Should we not consider naming those two different things?
>
> The original patch called the Unix domain socket version "peer" (whereas
> the name "ident" comes from the official name of the TCP/IP protocol
> used).  You can look it up in the archives, but I believe the argument
> for using the name "ident" for both was because "ident" was established
> and the new feature would provide the same functionality.

Yeah, I vaguely recall that discussion - too lazy to actually look it
up :-) I think the argument was definitely wrong, but it didn't seem
so at the time...

> That said, I completely agree with you.  Every time I look through a
> pg_hba.conf I think, that's a terrible name, we should rename this.
>
> We could perhaps introduce an alternative name and slowly deprecate the
> original one.

That seems reasonable. Maybe even have the server emit a warning when
it sees it (since we now read/parse pg_hba.conf on server start, it
would only show up once per server reload, not on every connect). Or
maybe just doc-deprecate in 9.1, warning in 9.2, drop in 9.3 or
something?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/