public inbox for [email protected]
help / color / mirror / Atom feedFrom: Craig Ringer <[email protected]>
To: Devrim Gündüz <[email protected]>
Cc: pgsql-pkg-yum <[email protected]>
Subject: Re: Can we stop defaulting to 'ident'?
Date: Mon, 23 Dec 2019 14:04:25 +0800
Message-ID: <CAMsr+YFBeZ+jUs0q1h9LO=OcYDstEN7b=4NyOiiS33yH2CaWqw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
<[email protected]>
On Fri, 20 Dec 2019 at 15:45, Devrim Gündüz <[email protected]> wrote:
> Hi,
>
> On Thu, 2019-12-19 at 12:58 +0800, Craig Ringer wrote:
>
> > It's not clear why the initdb wrapper for the rpm packages defaults to
> > generating 'host' entries with 'ident' auth,
>
> Historical reasons, like at least 15 years or more.
>
Time to revisit it then.
The current default is already broken. It is more broken than, and less
useful than, defaulting to 'md5' for 'host' since at least then users could
make it work by setting a password.
ident requires entirely new and different daemons to be installed,
configured and enabled.
> > but I think it's pretty unhelpful. At least if we used 'md5' the user
> could
> > set passwords and have them actually work.
>
> IMHO the only alternative could be "trust", because I am not holding my
> breath
> for the majority of our users to be able to setup a password that easily
> (yeah). I'm also not inclined to setup a default password for RPM
> installations
> (and also RPMs must not do any interactive work, like asking for a
> password)
The deb use md5 for 'host' and 'peer' for 'local'. While I think they do
support interactive password setting it's extremely common to run debconf
noninteractively, then set an initial password using psql with the peer
auth conn over a unix socket.
That's the approach I suggest for the rpms too. A stanza to the setup shell
script can even be added to give a hint for next steps:
echo PostgreSQL instance created at /var/lib/pgsql/12/data and set to
listen on port $NEWPGPORT.
echo
echo Start it with systemctl start postgresql-12 .
if [ $local_authmode == 'peer' ]; then
echo Connect with 'sudo -u postgres psql -p $NEWPGPORT' to create
users, set passwords and create databases.
fi
or something like that.
--
Craig Ringer http://www.2ndQuadrant.com/
2ndQuadrant - PostgreSQL Solutions for the Enterprise
view thread (54+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Can we stop defaulting to 'ident'?
In-Reply-To: <CAMsr+YFBeZ+jUs0q1h9LO=OcYDstEN7b=4NyOiiS33yH2CaWqw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox