public inbox for [email protected]  
help / color / mirror / Atom feed
From: Jacob Champion <[email protected]>
To: Zsolt Parragi <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: Tristan Partin <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Proposal: new file format for hba/ident/hosts configuration?
Date: Thu, 9 Jul 2026 15:48:37 -0700
Message-ID: <CAOYmi+nxQwwkmb5NEj_LUS6ZCstWqyM-Do3KbqdV9JW3YmwbWA@mail.gmail.com> (raw)
In-Reply-To: <CAN4CZFPQiNvfX2k35zYi9eZ7-kC5vEeQtiM_nOce3MNpK4Ai_w@mail.gmail.com>
References: <CAN4CZFNXdKL4eb_GwT_h-vUuUV+CbPCk_8-+S3kV8iFmNmUw7A@mail.gmail.com>
	<[email protected]>
	<CAD5tBc+ki9ynMuFRkFCCXVtyOO7HaEU7EEdGKA1LWgofNgdNOQ@mail.gmail.com>
	<CAOYmi+m8PrWyhY7diTA+UTGNNzQ8eCZZLRA07LTuzj4VCBaudA@mail.gmail.com>
	<CAN4CZFPQiNvfX2k35zYi9eZ7-kC5vEeQtiM_nOce3MNpK4Ai_w@mail.gmail.com>

On Wed, Jul 8, 2026 at 8:33 AM Zsolt Parragi <[email protected]> wrote:
> I focused on TOML in my email because I think that's still a better
> configuration format than JSON5.

(I agree)

> * do we agree on working towards another configuration format?
> * if yes, what requirements do we have for it?
> * what exact issues do we want to solve, and what to leave as non-goals?

Adding small pieces to this pile: I'm primarily motivated by authn/z,
and I'd like to be able to more intuitively attach parameters to
certain connection contexts. This is something that neither a flat
configuration, nor separated tabular configurations, have really
helped us with.

"Connections using SCRAM authentication should time out in X seconds
instead of the default." Or "this group of users should use the
following list of GUCs." The sample I used in [1] a long time ago was

    Everyone has to use LDAP auth
    With this server
    And these TLS settings

    Except admins
        who additionally need client certificates
        with this CA root

    And Jacob
        who isn't allowed in anymore

We don't handle these (perfectly reasonable IMO) cases very well, or
sometimes at all. I'm primarily used to servers in the web space
(httpd, nginx, caddy, haproxy) when it comes to this configuration
style, which I think I called "contexts with property bags" in that
other thread.

> * I am unsure about using the array syntax for hba rules, but so far I
> like it better than the alternative ideas I tried

FWIW I find that part of it pretty hard to read and understand, though
that should not in any way spike the general concept into the ground.

Thanks!
--Jacob

[1] https://postgr.es/m/0e0c038ab962c3f6dab00934fe5ae1ae115f44c0.camel%40vmware.com






view thread (4+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Proposal: new file format for hba/ident/hosts configuration?
  In-Reply-To: <CAOYmi+nxQwwkmb5NEj_LUS6ZCstWqyM-Do3KbqdV9JW3YmwbWA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox