On 5/18/21 8:05 AM, Chapman Flack wrote:
> On 05/18/21 04:54, Magnus Hagander wrote:
>
>> I mean, if you have
>> hostssl somedatabase someuser 10.0.0.0/24 gss
>> hostssl somedatabase supseruser 10.0.0.0/24 gss tls_min_version=1.3
>>
>> One would reasonably expect that "someuser" can connect with
On 05/18/21 04:54, Magnus Hagander wrote:
> I mean, if you have
> hostssl somedatabase someuser 10.0.0.0/24 gss
> hostssl somedatabase supseruser 10.0.0.0/24 gss tls_min_version=1.3
>
> One would reasonably expect that "someuser" can connect with whatever
> the default version i for tls_min_versi
On Mon, May 17, 2021 at 11:18 PM Chapman Flack wrote:
>
> On 05/17/21 16:35, Magnus Hagander wrote:
> > So you're saying that some entries int he parameter section would
> > depend on the db/user/ip combo and some would depend just on the ip?
>
> I don't *think* that's what I was saying. What I wa
On 05/17/21 21:19, Chapman Flack wrote:
> This makes twice in a row that I've failed to see how.
>
> If you go through the entries, in order, and simply prune from the list
> the ones you can already prove would never apply to this connection, how
> does that break the ordering principle?
Ok, I
On 05/17/21 17:55, Tom Lane wrote:
> This seems pretty horrid to me, not only from a complexity standpoint,
> but because it would break the principle that pg_hba.conf entries are
> applied in order.
This makes twice in a row that I've failed to see how.
If you go through the entries, in order, a
Chapman Flack writes:
> On 05/17/21 16:35, Magnus Hagander wrote:
>> So you're saying that some entries int he parameter section would
>> depend on the db/user/ip combo and some would depend just on the ip?
> I don't *think* that's what I was saying. What I was thinking was this:
> ...
This seem
On 05/17/21 16:35, Magnus Hagander wrote:
> So you're saying that some entries int he parameter section would
> depend on the db/user/ip combo and some would depend just on the ip?
I don't *think* that's what I was saying. What I was thinking was this:
The pg_hba.conf file is an ordered list of e
On Mon, May 17, 2021 at 10:31 PM Chapman Flack wrote:
>
> On 05/17/21 16:15, Magnus Hagander wrote:
> > The row is selected by the combination of username/database/ipaddress.
> > But you have to pick the minimum TLS version before the client has
> > sent that... Basically we have to make the choic
On 05/17/21 16:15, Magnus Hagander wrote:
> The row is selected by the combination of username/database/ipaddress.
> But you have to pick the minimum TLS version before the client has
> sent that... Basically we have to make the choice long before we've
> even started looking at pg_hba.
Use the pe
On Fri, May 14, 2021 at 8:58 PM Stephen Frost wrote:
>
> Greetings,
>
> * Chapman Flack (c...@anastigmatix.net) wrote:
> > If pg_hba syntax changes are being entertained, I would love to be able
> > to set ssl_min_protocol_version locally in a hostssl rule.
> >
> > Some clients at $work are stuck
Stephen Frost writes:
> * Chapman Flack (c...@anastigmatix.net) wrote:
>> If pg_hba syntax changes are being entertained, I would love to be able
>> to set ssl_min_protocol_version locally in a hostssl rule.
>> Some clients at $work are stuck with ancient SSL libraries, but I would
>> much rather
Greetings,
* Tom Lane (t...@sss.pgh.pa.us) wrote:
> Andrew Dunstan writes:
> > On 5/13/21 7:38 PM, Bossart, Nathan wrote:
> >> I've attached a small patch that allows specifying only direct members
> >> of a group in pg_hba.conf.
>
> > Do we really want to be creating two classes of role members
Greetings,
* Chapman Flack (c...@anastigmatix.net) wrote:
> If pg_hba syntax changes are being entertained, I would love to be able
> to set ssl_min_protocol_version locally in a hostssl rule.
>
> Some clients at $work are stuck with ancient SSL libraries, but I would
> much rather be able to wea
On 05/13/21 19:38, Bossart, Nathan wrote:
> I chose "&" as a new group name prefix for this purpose. This choice
If pg_hba syntax changes are being entertained, I would love to be able
to set ssl_min_protocol_version locally in a hostssl rule.
Some clients at $work are stuck with ancient SSL lib
Andrew Dunstan writes:
> On 5/13/21 7:38 PM, Bossart, Nathan wrote:
>> I've attached a small patch that allows specifying only direct members
>> of a group in pg_hba.conf.
> Do we really want to be creating two classes of role membership?
Yeah, this seems to be going against the clear meaning of
On 5/13/21 7:38 PM, Bossart, Nathan wrote:
> Hi hackers,
>
> I've attached a small patch that allows specifying only direct members
> of a group in pg_hba.conf. The "+" prefix offered today matches both
> direct and indirect role members, which may complicate some role
> setups. For example, if
16 matches
Mail list logo
