| From: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
|---|---|
| To: | Peter Eisentraut <peter(at)eisentraut(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [PATCH] Add inline comments to the pg_hba_file_rules view |
| Date: | 2023-09-26 18:40:52 |
| Message-ID: | 39262770-a13e-3639-ea91-cd1a338ec589@uni-muenster.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi!
On 26.09.23 15:19, Peter Eisentraut wrote:
> On 04.09.23 11:54, Jim Jones wrote:
>> This patch proposes the column "comment" to the pg_hba_file_rules
>> view. It basically parses the inline comment (if any) of a valid
>> pg_hba.conf entry and displays it in the new column.
>>
>> For such pg_hba entries ...
>>
>> host db jim 127.0.0.1/32 md5 # foo
>> host db jim 127.0.0.1/32 md5 #bar
>> host db jim 127.0.0.1/32 md5 # #foo#
>
> I'm skeptical about this.
>
> First, there are multiple commenting styles. The end-of-line style is
> less common in my experience, because pg_hba.conf lines tend to
> belong. Another style is
>
> # foo
> host db jim 127.0.0.1/32 md5
> # bar
> host db jim 127.0.0.1/32 md5
>
> or even as a block
>
> # foo and bar
> host db jim 127.0.0.1/32 md5
> host db jim 127.0.0.1/32 md5
>
> Another potential problem is that maybe people don't want their
> comments leaked out of the file. Who knows what they have written in
> there.
I also considered this for a while. That's why I suggested only inline
comments. On a second thought, I agree that making only certain types of
comments "accessible" by the pg_hba_file_rules view can be misleading
and can possibly leak sensible info if misused.
>
> I think we should leave file comments be file comments. If we want
> some annotations to be exported to higher-level views, we should make
> that an intentional and explicit separate feature.
My first suggestion [1] was to use a different character (other than
'#'), but a good point was made, that it would add more complexity to
the hba.c, which is already complex enough.
My main motivation with this feature is to be able to annotate pg_hba
entries in a way that it can be read using the pg_hba_file_rule via SQL
- these annotations might contain information like tags, client
(application) names or any relevant info regarding the granted access.
This info would help me to generate some reports that contain client
access information. I can sort of achieve something similar using
pg_read_file(),[2] but I thought it would be nice to have it directly
from the view.
Do you think that this feature is in general not a good idea? Or perhaps
a different annotation method would address your concerns?
Thank you very much for taking a look into it!
Jim
1-
https://www.postgresql.org/message-id/flat/3fec6550-93b0-b542-b203-b0054aaee83b(at)uni-muenster(dot)de
2-
https://www.postgresql.org/message-id/b63625ca-580f-14dc-7e7c-f90cd4d95cf7%40uni-muenster.de
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2023-09-26 19:32:13 | Re: Is this a problem in GenericXLogFinish()? |
| Previous Message | Tom Lane | 2023-09-26 18:01:23 | Re: [PGdocs] fix description for handling pf non-ASCII characters |