And you can change pg_hba.conf on the fly, so you don't have to restart
a 24/7 database because you locked the superuser out.
If your back were against the wall, you could probably hand-edit the
flat-file version of the permission file enough to let yourself in
without shutting down the postmaster. It might not be as user-friendly
to edit as the current pg_hba.conf, but it'd still be flat ASCII I expect.
Hi,
AFAIC, I've written scripts that alter the file "pg_hba.conf" on the fly,
while running PostgreSQL, and also *before* starting PostgreSQL !
The goal was to create a "restricted" mode, called via :
service postgresql start-restricted
For example, if the database server is off, and maintenance is needed
*before* any normal (non-superuser) connections, we can start the server
directly, with perfect security settings...
So, the actual pg_hba.conf file is ideal !
If we would have to start the database in order to reconfigure it to
prevent normal connections, a normal user could take advantage of this
to connect during this process !!
Don't loose flexibility and security for some "elegant" evolutions !
Best Regards,
Philippe Ferreira.
