Enable replication connections by default in pg_hba.conf

initdb now initializes a pg_hba.conf that allows replication connections
from the local host, same as it does for regular connections.  The
connecting user still needs to have the REPLICATION attribute or be a
superuser.

The intent is to allow pg_basebackup from the local host to succeed
without requiring additional configuration.

Michael Paquier <michael.paquier@gmail.com> and me

diff --git a/doc/src/sgml/ref/initdb.sgml b/doc/src/sgml/ref/initdb.sgml
index 1aaa4901af7aeef35e5c29513c15fd3d74631c61..d9faa96021da7c94758c9cd43c143f52b3371b83 100644 (file)
--- a/doc/src/sgml/ref/initdb.sgml
+++ b/doc/src/sgml/ref/initdb.sgml
@@ -120,11 +120,17 @@ PostgreSQL documentation
       <term><option>--auth=<replaceable class="parameter">authmethod</replaceable></option></term>
       <listitem>
        <para>
-        This option specifies the authentication method for local users used
-        in <filename>pg_hba.conf</> (<literal>host</literal>
-        and <literal>local</literal> lines).  Do not use <literal>trust</>
-        unless you trust all local users on your system.  <literal>trust</> is
-        the default for ease of installation.
+        This option specifies the default authentication method for local
+        users used in <filename>pg_hba.conf</> (<literal>host</literal>
+        and <literal>local</literal> lines).  <command>initdb</command> will
+        prepopulate <filename>pg_hba.conf</filename> entries using the
+        specified authentication method for non-replication as well as
+        replication connections.
+       </para>
+
+       <para>
+        Do not use <literal>trust</> unless you trust all local users on your
+        system.  <literal>trust</> is the default for ease of installation.
        </para>
       </listitem>
      </varlistentry>

diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index 73f7973ea2277129a0ddbe95338f8f1069aac3bf..6b1778a72136edf52cea56f2ab088b9449df9a48 100644 (file)
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -84,6 +84,6 @@ host    all             all             127.0.0.1/32            @authmethodhost@
 host    all             all             ::1/128                 @authmethodhost@
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
-@remove-line-for-nolocal@#local   replication     @default_username@                                @authmethodlocal@
-#host    replication     @default_username@        127.0.0.1/32            @authmethodhost@
-#host    replication     @default_username@        ::1/128                 @authmethodhost@
+@remove-line-for-nolocal@local   replication     all                                     @authmethodlocal@
+host    replication     all             127.0.0.1/32            @authmethodhost@
+host    replication     all             ::1/128                 @authmethodhost@

diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 4968fc783e89acccfc7a2110ac6ec67f8c058af2..da40d7ab678cd48644d1660db3adcbd3bf2b8569 100644 (file)
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -1235,11 +1235,6 @@ setup_config(void)
                                                          "@authcomment@",
                                                          (strcmp(authmethodlocal, "trust") == 0 || strcmp(authmethodhost, "trust") == 0) ? AUTHTRUST_WARNING : "");
 
-       /* Replace username for replication */
-       conflines = replace_token(conflines,
-                                                         "@default_username@",
-                                                         username);
-
        snprintf(path, sizeof(path), "%s/pg_hba.conf", pg_data);
 
        writefile(path, conflines);

diff --git a/src/bin/pg_basebackup/t/010_pg_basebackup.pl b/src/bin/pg_basebackup/t/010_pg_basebackup.pl
index aafb138fd53a3804e0d4ab54238c8a322300e213..14bd813896cf4f9e936236006ae7f6d78f5041d9 100644 (file)
--- a/src/bin/pg_basebackup/t/010_pg_basebackup.pl
+++ b/src/bin/pg_basebackup/t/010_pg_basebackup.pl
@@ -4,7 +4,7 @@ use Cwd;
 use Config;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 73;
+use Test::More tests => 72;
 
 program_help_ok('pg_basebackup');
 program_version_ok('pg_basebackup');
@@ -15,15 +15,12 @@ my $tempdir = TestLib::tempdir;
 my $node = get_new_node('main');
 
 # Initialize node without replication settings
-$node->init(hba_permit_replication => 0);
+$node->init;
 $node->start;
 my $pgdata = $node->data_dir;
 
 $node->command_fails(['pg_basebackup'],
        'pg_basebackup needs target directory specified');
-$node->command_fails(
-       [ 'pg_basebackup', '-D', "$tempdir/backup" ],
-       'pg_basebackup fails because of hba');
 
 # Some Windows ANSI code pages may reject this filename, in which case we
 # quietly proceed without this bit of test coverage.

diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index e5cb348f4c824828488007df0217083cf522fdda..7e530676b298fc333d2cd0ad487749f6f7603024 100644 (file)
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -349,11 +349,7 @@ sub set_replication_conf
 
        open my $hba, ">>$pgdata/pg_hba.conf";
        print $hba "\n# Allow replication (set up by PostgresNode.pm)\n";
-       if (!$TestLib::windows_os)
-       {
-               print $hba "local replication all trust\n";
-       }
-       else
+       if ($TestLib::windows_os)
        {
                print $hba
 "host replication all $test_localhost/32 sspi include_realm=1 map=regress\n";
@@ -373,9 +369,6 @@ a directory that's only accessible to the current user to ensure that.
 On Windows, we use SSPI authentication to ensure the same (by pg_regress
 --config-auth).
 
-pg_hba.conf is configured to allow replication connections. Pass the keyword
-parameter hba_permit_replication => 0 to disable this.
-
 WAL archiving can be enabled on this node by passing the keyword parameter
 has_archiving => 1. This is disabled by default.
 
@@ -396,8 +389,6 @@ sub init
        my $pgdata = $self->data_dir;
        my $host   = $self->host;
 
-       $params{hba_permit_replication} = 1
-         unless defined $params{hba_permit_replication};
        $params{allows_streaming} = 0 unless defined $params{allows_streaming};
        $params{has_archiving}    = 0 unless defined $params{has_archiving};
 
@@ -451,7 +442,7 @@ sub init
        }
        close $conf;
 
-       $self->set_replication_conf if $params{hba_permit_replication};
+       $self->set_replication_conf if $params{allows_streaming};
        $self->enable_archiving     if $params{has_archiving};
 }
 
@@ -591,9 +582,6 @@ Does not start the node after initializing it.
 
 A recovery.conf is not created.
 
-pg_hba.conf is configured to allow replication connections. Pass the keyword
-parameter hba_permit_replication => 0 to disable this.
-
 Streaming replication can be enabled on this node by passing the keyword
 parameter has_streaming => 1. This is disabled by default.
 
@@ -615,8 +603,6 @@ sub init_from_backup
        my $root_name   = $root_node->name;
 
        $params{has_streaming} = 0 unless defined $params{has_streaming};
-       $params{hba_permit_replication} = 1
-         unless defined $params{hba_permit_replication};
        $params{has_restoring} = 0 unless defined $params{has_restoring};
 
        print
@@ -638,7 +624,6 @@ sub init_from_backup
                qq(
 port = $port
 ));
-       $self->set_replication_conf         if $params{hba_permit_replication};
        $self->enable_streaming($root_node) if $params{has_streaming};
        $self->enable_restoring($root_node) if $params{has_restoring};
 }