On 02/02/17 14:32, Simon Riggs wrote: > On 23 January 2017 at 04:29, Michael Paquier <michael.paqu...@gmail.com> > wrote: >> Hi all, >> >> As now wal_level = replica has become the default for Postgres 10, >> could we consider as well making replication connections enabled by >> default in pg_hba.conf? > > Agreed > >> This requires just uncommenting a couple of >> lines in pg_hba.conf.sample. > > I don't think that is the right way to do this. Changing the default > doesn't reduce the complexity. > > I think we should remove the "replication" false database concept in > pg_hba.conf altogether and allow any valid pg_hba rule to invoke a > replication connection, if one is requested. Roles would still need > the REPLICATION capability before this would be allowed. Having both > of those things doesn't materially improve security control. >
+1 > It would also be useful to be able prevent users with REPLICATION > capability from connecting as normal users, if the are marked as > NOLOGIN. > +1 -- Petr Jelinek http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
