Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf

Hi,

On 9/9/22 2:46 AM, Tom Lane wrote:
> Jacob Champion<jchampion(at)timescale(dot)com> writes:
>> On Fri, Aug 19, 2022 at 1:13 AM Drouvot, Bertrand<bdrouvot(at)amazon(dot)com> wrote:
>>> This is why I think username filtering with regular expressions would
>>> provide its own advantages.
>> I think your motivation for the feature is solid.
> Yeah. I'm not sure that I buy the argument that this is more useful
> than writing a role name and controlling things with GRANT ROLE, but
> it's a plausible alternative with properties that might win in some
> use-cases. So I see little reason not to allow it.

Thank you both for your feedback.

> I'd actually ask why stop here? In particular, why not do the same
> with the database-name column, especially since that does *not*
> have the ability to use roles as a substitute for a wildcard entry?

I think that's a fair point, I'll look at it.

>> I think you're going to have to address backwards compatibility
>> concerns. Today, I can create a role named "/a", and I can put that
>> into the HBA without quoting it. I'd be unamused if, after an upgrade,
>> my rule suddenly matched any role name containing an 'a'.
> Meh ... that concern seems overblown to me. I guess it's possible
> that somebody has an HBA entry that looks like that, but it doesn't
> seem very plausible. Note that we made this exact same change in
> pg_ident.conf years ago, and AFAIR we got zero complaints.
>
Agree that it seems unlikely but maybe we could add a new GUC to turn
the regex usage on the hba file on/off (and use off as the default)?

Regards,

--
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services:https://aws.amazon.com