Re: Allow file inclusion in pg_hba and pg_ident files

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: Julien Rouhaud <rjuju123(at)gmail(dot)com>
Cc: pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Allow file inclusion in pg_hba and pg_ident files
Date: 2022-02-23 17:44:58
Message-ID: 20220223174458.GA336225@nathanxps13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Feb 23, 2022 at 12:59:59PM +0800, Julien Rouhaud wrote:
> To address that, I'd like to propose the possibility to include files in hba
> and ident configuration files. This was already discussed in the past, and in
> my understanding this is mostly wanted, while some people expressed concerned
> on a use case that wouldn't rely on thousands of entries.

+1, I think this would be very useful.

> 0001 adds a new pg_ident_file_mappings view, which is basically the same as
> pg_hba_file_rules view but for mappings. It's probably already useful, for
> instance if you need to tweak some regexp.

This seems reasonable.

> Finally I also added 0003, which is a POC for a new pg_hba_matches() function,
> that can help DBA to understand why their configuration isn't working as they
> expect. This only to start the discussion on that topic, the code is for now
> really hackish, as I don't know how much this is wanted and/or if some other
> behavior would be better, and there's also no documentation or test. The
> function for now only takes an optional inet (null means unix socket), the
> target role and an optional ssl flag and returns the file, line and raw line
> matching if any, or null. For instance:

I think another use-case for this is testing updates to your configuration
files. For example, I could ensure that hba_forbid_non_ssl.conf wasn't
accidentally reverted as part of an unrelated change.

--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Imseih (AWS), Sami 2022-02-23 18:02:08 Re: Add index scan progress to pg_stat_progress_vacuum
Previous Message Euler Taveira 2022-02-23 17:33:34 Re: logical decoding and replication of sequences