Re: host name support in pg_hba.conf

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: host name support in pg_hba.conf
Date: 2010-08-10 15:45:18
Message-ID: 20100810154518.GF26232@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Kevin Grittner (Kevin(dot)Grittner(at)wicourts(dot)gov) wrote:
> It's hardly nonsense to have multiple names on a machine. While we
> usually avoid having multiple reverse lookup names, we have many
> in-house web applications and we neither want users to access them
> by IP address or have to worry about which web server is hosting
> which applications at the moment. So it's not unusual for one of
> our web servers to have 10 or 15 DNS names for forward lookup. If
> one machine becomes overloaded, we can move an application, change
> the DNS, and everyone's bookmark still works. This is precisely the
> sort of situation where using a hostname in pg_hba.conf would be
> most useful.

We're talking about client systems connecting to PG here. Are you
authenticating your web users by looking at their client addresses..?
That strikes me as pretty unlikely. Your web servers will be connecting
to your PG server from *one* address (whatever the main one is for that
pariticular server), and that address just needs to have an rDNS entry
that goes to a host whose forward DNS includes that IP.

If you have multiple web servers that are connecting to the same PG
database, then have multiple pg_hba entries, or make them all have the
same hostname per reverse DNS (though I don't really see why you'd want
to).

> > We must make our implementation robust again other setups, but we
> > don't have to (or rather cannot) support them.
>
> Without the logic to ensure that the hostname matches the reverse
> lookup, this might be useful for us. With that logic it is useless
> for us. I'm wondering how much you gain by having it in there. Why
> can't a forward lookup which matches the requesting IP be considered
> sufficient?

Because "you can't get there from here". You'd either have to cache all
the entries in pg_hba (which is horrible), or do a look-up on each one
on every connection (which is going to be a hell of alot slower than
doing one more DNS lookup here). This isn't magic. What we have is a
bunch of host names and a single IP (the connecting one). Figuring out
which one goes with which is the issue.

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Steve Atkins 2010-08-10 15:51:55 Re: host name support in pg_hba.conf
Previous Message Stephen Frost 2010-08-10 15:39:37 Re: host name support in pg_hba.conf