Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nMvhL-0002Go-0c for pgsql-hackers@arkaria.postgresql.org; Wed, 23 Feb 2022 17:45:07 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nMvhJ-00046e-Ue for pgsql-hackers@arkaria.postgresql.org; Wed, 23 Feb 2022 17:45:05 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nMvhJ-00046U-J4 for pgsql-hackers@lists.postgresql.org; Wed, 23 Feb 2022 17:45:05 +0000 Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nMvhF-00038F-Vr for pgsql-hackers@lists.postgresql.org; Wed, 23 Feb 2022 17:45:04 +0000 Received: by mail-pl1-x636.google.com with SMTP id x11so19395125pll.10 for ; Wed, 23 Feb 2022 09:45:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=wZhrcNsJUN+eVY70DpYenkw66YuDgl99BE1EvaPjD7E=; b=Kksgfk2Pf2/HEikLD3qGbxBDc9G3zQ8TYxa/DBdIVd0p++fPuLD8h9baAxXxjRxAam 0jXOqPS0QI6vn5/sll5cgtKnaS4NdXwdktA2h4b67M4O2ZkW84TFgRhk0S0Kqe2GJFOc oA5beLYzHRZ2o3yln6CcASdyGXPh/ncLx/wUl1eEloJa/+VspUXfQx8QmrBuvMfnxYwx ka9c9Lk2NPEeiffaC+kakKpQ3G6MrzGpA/up1mF+GOFQJ06Fu8JVMsHOFGZLbNAxdQjB anzzcdXCwg2PwmSZ7GYGa2anSYcMKqke2px5ppTK9i9ZtVNo3TbJSWCOLZknEPuDV127 n3hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=wZhrcNsJUN+eVY70DpYenkw66YuDgl99BE1EvaPjD7E=; b=GJAiR6TH1PM1U3ucIOweCExgljbtsBjrzKj+FTlukm7oAJrktXOlcnJszxDMiZRGm2 AKnfK7sDqKoJqjOYzUx0rrZeb0N3+v/z5Et1V1GI2w+urWJDvI98j5hBNY2ZrxGN5AaL 0mcCfBTyiQkWdYhhX0Lh3vQI6gyaC1q+fZP8z7OIapE1+/iaqnuPTwAtPhxK0TU81zH5 yh9I2HAB555Iu4yYsKvlEb3cv8CvCgLWtu+p/YyJX0HjohIYfMi1v4S9wcmFU07XQqux NEeN9Ymm77hAtINwJDT5mThpmM4ftTujjKPLOraL1lH4NKmQq6TI7vZMyrwT5vr1zBWR mi0w== X-Gm-Message-State: AOAM531KLgIwAVTdsntUx0VK3+8DqHOjZr5P2uLMpjDYDTsdtyu2gAmg n8OVjP/IfLQ+ylR4OesZXVU= X-Google-Smtp-Source: ABdhPJw16luu7u8+9/q3B4aOb8p6NPhA9UyR18MXW8A/UAK9Ydkrt04UWHohhzZ0cp4WYdyEQjz0uA== X-Received: by 2002:a17:90a:ab08:b0:1b9:c59:82c3 with SMTP id m8-20020a17090aab0800b001b90c5982c3mr10280607pjq.95.1645638300814; Wed, 23 Feb 2022 09:45:00 -0800 (PST) Received: from nathanxps13 ([50.54.155.70]) by smtp.gmail.com with ESMTPSA id a29sm142458pgl.24.2022.02.23.09.44.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 09:45:00 -0800 (PST) Date: Wed, 23 Feb 2022 09:44:58 -0800 From: Nathan Bossart To: Julien Rouhaud Cc: pgsql-hackers@lists.postgresql.org Subject: Re: Allow file inclusion in pg_hba and pg_ident files Message-ID: <20220223174458.GA336225@nathanxps13> References: <20220223045959.35ipdsvbxcstrhya@jrouhaud> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220223045959.35ipdsvbxcstrhya@jrouhaud> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Feb 23, 2022 at 12:59:59PM +0800, Julien Rouhaud wrote: > To address that, I'd like to propose the possibility to include files in hba > and ident configuration files. This was already discussed in the past, and in > my understanding this is mostly wanted, while some people expressed concerned > on a use case that wouldn't rely on thousands of entries. +1, I think this would be very useful. > 0001 adds a new pg_ident_file_mappings view, which is basically the same as > pg_hba_file_rules view but for mappings. It's probably already useful, for > instance if you need to tweak some regexp. This seems reasonable. > Finally I also added 0003, which is a POC for a new pg_hba_matches() function, > that can help DBA to understand why their configuration isn't working as they > expect. This only to start the discussion on that topic, the code is for now > really hackish, as I don't know how much this is wanted and/or if some other > behavior would be better, and there's also no documentation or test. The > function for now only takes an optional inet (null means unix socket), the > target role and an optional ssl flag and returns the file, line and raw line > matching if any, or null. For instance: I think another use-case for this is testing updates to your configuration files. For example, I could ensure that hba_forbid_non_ssl.conf wasn't accidentally reverted as part of an unrelated change. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com