Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pG9Va-0000y6-B8 for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Jan 2023 02:09:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pG9VY-000257-35 for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Jan 2023 02:09:28 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pG9VX-00024y-Lw for pgsql-hackers@lists.postgresql.org; Fri, 13 Jan 2023 02:09:27 +0000 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pG9VP-0007hE-OQ for pgsql-hackers@lists.postgresql.org; Fri, 13 Jan 2023 02:09:26 +0000 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 08CC03200437; Thu, 12 Jan 2023 21:09:16 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 12 Jan 2023 21:09:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1673575756; x=1673662156; bh=ExmPNeofcM UxKjB+KP05NQaPY66L7XES3+6yV295v5g=; b=wBnk3BfkGartlo7w7Cn/dmyxL0 K1Iq/fF2DPYDKqxPF78L6Mz2QbQ7sd4J45YMf0c6r/k+2g4MZkdLkrehmdF8FVe3 nFjQbiiqA87HdVfh/x6zX90mjg+1U3apc2Mmu5DewfjD3a9ciZlPTQxSGpwitFHO F/gSGFmPGL01qpUWvZw8Oy87wS2pHvwjeiTvnc0K9DKYNRD8/eJhIuxLDz84aJsJ dvB4jCfPt0fQl2Tl04LeLE/va/J7/XJg4vfmVFk5HiDQlKkCia3Bk9oF8yJwsTFm 86dkTittTb9TJvu51C1hzsEAM9SWNwrhbWubehYOvOjkT8l4rvh6vUnzt92Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1673575756; x=1673662156; bh=ExmPNeofcMUxKjB+KP05NQaPY66L 7XES3+6yV295v5g=; b=r8sgBlMSRKnfDX09Ms4xAzRtAHd1O09AePVxgEjeFfHQ c7yvWzKPSeoQaAJviI0CTzriYp03+k7r6c+rlERV2g+pqk1js+1T4gGxvjZMB63V zl78QcTxP/1oajCTWNnM5O1EFaXP2uHzWtBsT4Zajg0Sjij/sovO6HIABA2lXInS QVsn7t6YqOhoWLL0O9rbHgMckC0IcLV4f3J2OcdQrgt5E+fcLFAJY+RntMDHhS88 YuYxHiltupEPfLsQGFCei5HYYYUEl1dKeQvq8detgXrC2xItouFliDdubpzOBTY0 ZuDcr9+jVR6xjSjUs1Inkw5IPKhURJZjnCLDbxpXnQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrleejgdeghecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdejtddmnecujfgurhepfffhvfevuffkfhggtggujgesghdtreertddt vdenucfhrhhomhepofhitghhrggvlhcurfgrqhhuihgvrhcuoehmihgthhgrvghlsehprg hquhhivghrrdighiiiqeenucggtffrrghtthgvrhhnpeetleeifedufffhhfdtteelgeeg geffhfekueevteeigfduudevudetgfegiedvjeenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmihgthhgrvghlsehprghquhhivghrrdighiii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 12 Jan 2023 21:09:14 -0500 (EST) Date: Fri, 13 Jan 2023 11:09:11 +0900 From: Michael Paquier To: Jelte Fennema Cc: Jelte Fennema , "isaac.morland@gmail.com" , "pgsql-hackers@lists.postgresql.org" , Nathan Bossart , Andrew Dunstan Subject: Re: [EXTERNAL] Re: [PATCH] Support using "all" for the db user in pg_ident.conf Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MH27L2LcQpYMz1FA" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --MH27L2LcQpYMz1FA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jan 12, 2023 at 10:10:02AM +0100, Jelte Fennema wrote: > It also makes the code simpler as we can simply reuse the > check_role function, since that. I removed the lines you quoted > since those are actually not strictly necessary. They only change > the detection logic a bit in case of a \1 existing in the string. > And I'm not sure what the desired behaviour is for those. Hmm. This is a very good point. 0004 gets really easy to follow now. > I split up that patch in two parts now and added the tests in a new 0001 > patch. Thanks, applied 0001. > 0002 should change no behaviour, since it simply stores the token in > the IdentLine struct, but doesn't start using the quoted or the regex field > yet. 0003 is debatable indeed. To me it makes sense conceptually, but > having a literal \1 in a username seems like an unlikely scenario and > there might be pg_ident.conf files in existence where the \1 is quoted > that would break because of this change. I haven't removed 0003 from > the patch set yet, but I kinda feel that the advantage is probably not > worth the risk of breakage. 0003 would allow folks to use \1 in a Postgres username if quoted. My choice would be to agree with you here. Even if folks applying quotes would not be able anymore to replace the pattern, the risk seems a bit remote? I would suspect that basically everybody does not rely on '\1' being in the middle of pg-username string, using it only as a strict replacement of the result coming from system-username to keep a simpler mapping between the PG roles and the krb5/gss system roles. Even if they use a more complex schema that depends on strstr(), things would break if they began the pg-username with quotes. Put it simply, I'd agree with your 0003. > 0004 adds some breakage too. But there I think the advantages far outweigh > the risk of breakage. Both because added functionality is a much bigger > advantage, and because we only risk breaking when there exist users that > are called "all", start with a literal + or start with a literal /. > Only "all" seems > like a somewhat reasonable username, but such a user existing seems > unlikely to me given all its special meaning in pg_hba.conf. (I added this > consideration to the commit message) I don't see how much that's different from the recent discussion with regexps added for databases and users to pg_hba.conf. And consistency sounds pretty good to me here. > Finally, one separate thing I noticed is that regcomp_auth_token only > checks the / prefix, but doesn't check if the token was quoted or not. > So even if it's quoted it will be interpreted as a regex. Maybe we should > change that? At least for the regex parsing that is not released yet. regcomp_auth_token() should not decide to compile a regexp depending on if an AuthToken is quoted or not. Regexps can have commas, and this would impact the case of database or role lists in HBA entries. And that could be an issue with spaces as well? See the docs for patterns like: db1,"/^db\d{2,4}$",db2 Point taken that we don't care about lists for pg_ident entries, though. > You didn't write a response about this, but you did quote it. Did you intend > to respond to it? Nah, I should have deleted it. I had no useful opinion on this particular point. -- Michael --MH27L2LcQpYMz1FA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmPAvUcACgkQnvQgOdby QH2PJw/+LyPSQoBtll/EfdHvslax7ggEOTCHQzlcmV3J8vE+cQ4iq+0F4NlFnGvZ jf+YbkRGpnUFo11aunsl0SCsngZIKRRML72RFwCOkrAwb8SKHLL/60Sj9iu24GRv 2EmHrVBKuSluS5s64HnW/UwrTsdwFJeVTaWvlnrnNlzGujw19DaJg3wxSrrLRH8e /FnIrxxZU5r1pfoYGxLu31V2DIARBLyaClRCZwcnSiJE38HrCmmYBhI1kMApImLA s3ohGYBHJ+ns9noV25C0k74wu8DiqTdg1A4MfAfb5+5OIAqi22uoKKJxFENUWq76 h/m2jXRpyWIEJsFhYgdvdMQ/8YqMHegHESEdROIzvUwVP9jgMmyyXHWDe27lZ71u neouUpwDOhN5TbDz2PIyvktZtdLt28xJc8dLbqjfWacUw6ETUJSdZUiKweLHkHg8 1dZf7OiVh52XV3pFfHz5nz6OXuvsyvnWv4l9pSGdwAA8dyRM4veLYMzd6z8TF0X/ VBQCytkixkMKOjocluv57ODgYbAfecCv50ofamq77TlLD5ZEAgKTh3dKDCgMfVTM 9Eb+/Xya3dtw2z+5ZyO7jbtaD478fddK7pRlkr1L37RFh6JFaTv7ewpk8aIbNcGI d9hMCuJLJUW0o5MmztC3tatsmkU8perLBPeuW0eIyVfGfitvP4U= =OL87 -----END PGP SIGNATURE----- --MH27L2LcQpYMz1FA--