Обсуждение: "repliation" as database name
Hello. We can create a database named "replication". $ createdb replication A pg_hba.conf entry with DATABASE="all" is described as 'does not match "replication"' in the comment there, but actually it matches and we can connect to the database "replication". (Documentation doesn't mention the restriction) $ psql replication -At -c 'select current_database()' replication We can specify the name replication by quoting and it does not match a replication connection. It is not documented at all. pg_hba.conf > local "replication" all trust > #local replication all trust ## commented out > FATAL: could not connect to the primary server: FATAL: no pg_hba.conf entry for replication connection from host "[local]",user "horiguti", SSL off > $ psql replication -At -c 'select current_database()' > replication The same can be said to sameuser, samerole and even all. I think this is absolutely sane behavior and worth documentation in any extent if it doesn't become complex. I think that at least the following amendments would be needed. - Remove ""all" does not match "replication"". Instead "The "all" keyword does not match replication connections." - double-quoted database name is taken literally. Is it worth doing? regards. -- Kyotaro Horiguchi NTT Open Source Software Center
At Tue, 18 Dec 2018 18:48:25 +0900 (Tokyo Standard Time), Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> wrote in <20181218.184825.02619975.horiguchi.kyotaro@lab.ntt.co.jp> > - Remove ""all" does not match "replication"". Instead "The "all" > keyword does not match replication connections." > - double-quoted database name is taken literally. I found that in the documentation thanks to a notification off-list. And after some reconfirmation, what I want to fix is only a few lines of comment in pg_hba.conf.sample. -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). +# database name, or a comma-separated list thereof. The "all" keyword +# matches all databases. The "replication" keyword matches a physical +# replication connection request and it must be enabled in a separate +# record (see example below) regards. -- Kyotaro Horiguchi NTT Open Source Software Center From b270a38b3edc90a3f56cb07ea6fdd5a20140fd46 Mon Sep 17 00:00:00 2001 From: Kyotaro Horiguchi <horiguchi.kyotaro@lab.ntt.co.jp> Date: Fri, 21 Dec 2018 15:48:25 +0900 Subject: [PATCH] Clarify the comments about "all" and "replication" in pg_hba.conf.sample In the explanetory comments in the pg_hba.conf.sample file looks a bit misleading. Clarify the meaning of "all" and "replication" keywords by make database name distinctive from keywords. --- src/backend/libpq/pg_hba.conf.sample | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index c853e36232..7c9c225afe 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -22,9 +22,10 @@ # plain TCP/IP socket. # # DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). +# database name, or a comma-separated list thereof. The "all" keyword +# matches all databases. The "replication" keyword matches a physical +# replication connection request and it must be enabled in a separate +# record (see example below). # # USER can be "all", a user name, a group name prefixed with "+", or a # comma-separated list thereof. In both the DATABASE and USER fields -- 2.16.3
Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> writes:
> I found that in the documentation thanks to a notification
> off-list. And after some reconfirmation, what I want to fix is
> only a few lines of comment in pg_hba.conf.sample.
> -# database name, or a comma-separated list thereof. The "all"
> -# keyword does not match "replication". Access to replication
> -# must be enabled in a separate record (see example below).
> +# database name, or a comma-separated list thereof. The "all" keyword
> +# matches all databases. The "replication" keyword matches a physical
> +# replication connection request and it must be enabled in a separate
> +# record (see example below)
Hm, I agree that the para doesn't read very well now, but I think this
could be improved further. How about something like
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "replication"
# keyword matches replication connection requests (see example below).
# The "all" keyword matches all database names, but not replication
# connections.
regards, tom lane
At Wed, 26 Dec 2018 12:59:32 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in <32289.1545847172@sss.pgh.pa.us> > Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> writes: > > I found that in the documentation thanks to a notification > > off-list. And after some reconfirmation, what I want to fix is > > only a few lines of comment in pg_hba.conf.sample. > > > -# database name, or a comma-separated list thereof. The "all" > > -# keyword does not match "replication". Access to replication > > -# must be enabled in a separate record (see example below). > > +# database name, or a comma-separated list thereof. The "all" keyword > > +# matches all databases. The "replication" keyword matches a physical > > +# replication connection request and it must be enabled in a separate > > +# record (see example below) > > Hm, I agree that the para doesn't read very well now, but I think this > could be improved further. How about something like > > # DATABASE can be "all", "sameuser", "samerole", "replication", a > # database name, or a comma-separated list thereof. The "replication" > # keyword matches replication connection requests (see example below). > # The "all" keyword matches all database names, but not replication > # connections. I'm afraid that just dropping "it must be enabled in a separate record" leads to confusion. How about adding a comment to replication connection examples. # Allow replication connections from localhost, by a user with the # replication privilege. Each definition must have its own record. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
At Mon, 28 Jan 2019 17:30:57 +0900 (Tokyo Standard Time), Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp> wrote in <20190128.173057.41178374.horiguchi.kyotaro@lab.ntt.co.jp> > At Wed, 26 Dec 2018 12:59:32 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in <32289.1545847172@sss.pgh.pa.us> > > Hm, I agree that the para doesn't read very well now, but I think this > > could be improved further. How about something like > > > > # DATABASE can be "all", "sameuser", "samerole", "replication", a > > # database name, or a comma-separated list thereof. The "replication" > > # keyword matches replication connection requests (see example below). > > # The "all" keyword matches all database names, but not replication > > # connections. > > I'm afraid that just dropping "it must be enabled in a separate > record" leads to confusion. How about adding a comment to > replication connection examples. > > # Allow replication connections from localhost, by a user with the > # replication privilege. Each definition must have its own record. Mmm, this doesn't seem to saying what I wanted to say there. This seems better. # Allow replication connections from localhost, by a user with # the replication privilege. They must have separate records from # non-replication connections. regards. -- Kyotaro Horiguchi NTT Open Source Software Center