Re: Allow file inclusion in pg_hba and pg_ident files
Julien Rouhaud <rjuju123@gmail.com>
Hi,
On Mon, Mar 28, 2022 at 04:20:07PM +0900, Michael Paquier wrote:
>
> > Note that those tests fail on Windows (and I'm assuming on EXEC_BACKEND
> > builds), as they're testing invalid files which by definition prevent any
> > further connection attempt. I'm not sure what would be best to do here, apart
> > from bypassing the invalid config tests on such platforms. I don't think that
> > validating that trying to connect on such platforms when an invalid
> > pg_hba/pg_ident file brings anything.
>
> Hmm, indeed. I have been looking at that and that's annoying. As you
> mentioned off-list, in order to know if a build has an emulation of
> fork() that would avoid failures with new connection attempts after
> including some dummy entries in pg_hba.conf or pg_ident.conf, we'd
> need to look at EXEC_BACKEND (well, mostly), as of:
> - CFLAGS in pg_config, or a query on pg_config() (does not work with
> MSVC as CFLAGS is not set there).
> - A potential check on pg_config{_manual}.h.
> - Perhaps an extra dependency on $windows_os, discarding incorrectly
> cygwin that should be able to work.
Yeah, detecting !cygwin-Windows or EXEC_BACKEND in the TAP tests is quite hard.
> We could use a failure path for each psql command rather than a SKIP
> block, as you told me, if the psql fails and check that we get some
> error strings related to the loading of auth files. However, I am
> scared of this design in the long-term as it could cause the tests to
> pass with a failure triggered on platforms and/or configurations where
> we should have a success. So, I am tempted to drop the ball for now
> with the TAP part.
Ok. We could still keep the tests for the valid lines part though?
> The patch still has value for the end-user. I have checked the
> backend part, and I did not notice any obvious issue. There is one
> thing that I am wondering though: should we change the two queries in
> sysviews.sql so as we check that there are zero errors in the two
> views when the files are parsed? This simple change would avoid
> mistakes for users running installcheck on a production installation.
Do you mean something like
SELECT count(*) > 0 AS ok,
count(*) FILTER (WHERE error IS NOT NULL) = 0 AS has_no_error
FROM pg_hba_file_rules ;
and similar for pg_ident_rule_mappings?
Commits
-
Add TAP tests for include directives in HBA end ident files
- cbe6e482d7bf 16.0 landed
-
Introduce variables for initial and max nesting depth on configuration files
- d13b684117bd 16.0 landed
-
Add support for file inclusions in HBA and ident configuration files
- a54b658ce77b 16.0 landed
-
Add missing initialization in tokenize_expand_file() for output list
- d5566fbfeb6a 16.0 landed
-
Rework memory contexts in charge of HBA/ident tokenization
- efc981627a72 16.0 landed
-
Add error context callback when tokenizing authentication files
- ad6c52846f13 16.0 landed
-
Invent open_auth_file() in hba.c to refactor authentication file opening
- 783e8c69cbcd 16.0 landed
-
Use AbsoluteConfigLocation() when building an included path in hba.c
- 6bbd8b73857a 16.0 landed
-
Move code related to configuration files in directories to new file
- a1a7bb8f16cd 16.0 landed
-
doc: Fix some descriptions related to pg_ident_file_mappings
- 468a9f37fb69 15.1 landed
- e76502871ee3 16.0 landed
-
Add rule_number to pg_hba_file_rules and map_number to pg_ident_file_mappings
- c591300a8f54 16.0 landed
-
Refactor code handling the names of files loaded in hba.c
- 1b73d0b1c393 16.0 landed
-
Make consistent a couple of log messages when parsing HBA files
- 718fe0a14add 16.0 landed
-
Use hba_file/ident_file GUCs rather than pg_hba.conf/pg_ident.conf in logs
- 47ab1ac822cd 16.0 landed
-
Fix path reference when parsing pg_ident.conf for pg_ident_file_mappings
- 7977ac1640a7 15.0 landed
- 27e0ee57f68d 16.0 landed
-
Add system view pg_ident_file_mappings
- a2c84990bea7 15.0 landed
-
Modify query on pg_hba_file_rules to check for errors in regression tests
- 091a971bb59c 15.0 landed
-
Refactor code related to pg_hba_file_rules() into new file
- d4781d8873f8 15.0 landed