- 
                Notifications
    You must be signed in to change notification settings 
- Fork 1.2k
Description
Seeing the following in docker-entrypoint.sh:
{ echo; echo "host all \"$POSTGRES_USER\" 0.0.0.0/0 $authMethod"; } >> "$PGDATA"/pg_hba.conf
Today I tried to launch a Redmine container I'd built with this image in mind, and have working on another host, and it failed due to a missing pg_hba.conf line. When I compared the working line with the newly-generated one, I discovered "all" was replaced with $POSTGRES_USER.
Why is this? I guess I can spin up a new database per app, but that seems a bit wasteful. Also, if I understand correctly, I'm now expected to connect my app authenticating against $POSTGRES_USER, which is a superuser. So, unless I'm missing something, you've switched the default mode of operation from "everyone can connect, with authorization handled on the user level" to "only $POSTGRES_USER can connect by default, and $POSTGRES_USER is superuser." That strikes me as absolutely backwards, in the sense that I should be handing out credentials piecemeal rather than connecting to the superuser by default.
I know I can change this with my own scripts, but unless I'm missing something, this default seems absolutely broken.