Re: Allow file inclusion in pg_hba and pg_ident files

Julien Rouhaud <rjuju123@gmail.com>

From: Julien Rouhaud <rjuju123@gmail.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Aleksander Alekseev <aleksander@timescale.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Nathan Bossart <nathandbossart@gmail.com>
Date: 2022-03-23T02:16:34Z
Lists: pgsql-hackers
Hi,

On Wed, Mar 23, 2022 at 11:03:46AM +0900, Michael Paquier wrote:
> 
> Pushing forward with 0001 by the end of the CF is the part that has no
> controversy IMO, and I have no objections to it.  Now, after looking
> at this part, I found a few things, as of:
> - HbaToken, the set of elements in the lists of TokenizedAuthLine, is
> a weird to use as this layer gets used by both pg_hba.conf and
> pg_indent.conf before transforming them into each HbaLine and
> IdentLine.  While making this part of the internals exposed, I think
> that we'd better rename that to AuthToken at least.  This impacts the
> names of some routines internal to hba.c to copy and create
> AuthTokens.

Yeah, I thought about it but didn't rename it given your concerns about git
history.  I'm fine either way.

> - s/gethba_options/get_hba_options/, to be consistent with
> fill_hba_view() and other things.
> - The comment at the top of tokenize_auth_file() needed a refresh.
> 
> That's mostly cosmetic, and the rest of the code moved is identical.
> So at the end this part looks rather commitable to me.

Looks good to me, thanks.

> I have not been able to test 0002 in details, but it looks rather
> rather sane to me at quick glance, and it is simple.  The argument
> about more TAP tests applies to it, though, even if there is one SQL
> test to check the function execution.  It is probably better to not
> consider 0003 and 0004 for this CF.

No objection to moving 0003 and 0004 to the next commitfest.



Commits

  1. Add TAP tests for include directives in HBA end ident files

  2. Introduce variables for initial and max nesting depth on configuration files

  3. Add support for file inclusions in HBA and ident configuration files

  4. Add missing initialization in tokenize_expand_file() for output list

  5. Rework memory contexts in charge of HBA/ident tokenization

  6. Add error context callback when tokenizing authentication files

  7. Invent open_auth_file() in hba.c to refactor authentication file opening

  8. Use AbsoluteConfigLocation() when building an included path in hba.c

  9. Move code related to configuration files in directories to new file

  10. doc: Fix some descriptions related to pg_ident_file_mappings

  11. Add rule_number to pg_hba_file_rules and map_number to pg_ident_file_mappings

  12. Refactor code handling the names of files loaded in hba.c

  13. Make consistent a couple of log messages when parsing HBA files

  14. Use hba_file/ident_file GUCs rather than pg_hba.conf/pg_ident.conf in logs

  15. Fix path reference when parsing pg_ident.conf for pg_ident_file_mappings

  16. Add system view pg_ident_file_mappings

  17. Modify query on pg_hba_file_rules to check for errors in regression tests

  18. Refactor code related to pg_hba_file_rules() into new file