Re: Allow file inclusion in pg_hba and pg_ident files
Michael Paquier <michael@paquier.xyz>
Attachments
- v20-0001-Allow-file-inclusion-in-pg_hba-and-pg_ident-file.patch (text/x-diff) patch v20-0001
- v20-0002-My-own-changes.patch (text/x-diff) patch v20-0002
On Thu, Nov 17, 2022 at 11:33:05AM +0900, Michael Paquier wrote:
> By the way, I am wondering whether process_included_authfile() is
> the most intuitive interface here. The only thing that prevents a
> common routine to process the include commands is the failure on
> GetConfFilesInDir(), where we need to build a TokenizedAuthLine when
> the others have already done so tokenize_file_with_context(). Could
> it be cleaner to have a small routine like makeTokenizedAuthLine()
> that gets reused when we fail scanning a directory to build a
> TokenizedAuthLine, in combination with a small-ish routine working on
> a directory like ParseConfigDirectory() but for HBA/ident? Or we
> could just drop process_included_authfile() entirely? On failure,
> this would make the code do a next_line all the time for all the
> include clauses.
I have been waiting for your reply for some time, so I have taken some
to look at this patch by myself and hacked on it.
At the end, the thing I was not really happy about is the
MemoryContext used to store the set of TokenizedAuthLines. I have
looked at a couple of approaches, like passing around the context as
you do, but at the end there is something I found annoying: we may
tokenize a file in the line context of a different file, storing in
much more data than just the TokenizedAuthLines. Then I got a few
steps back and began using a static memory context that only stored
the TokenizedAuthLines, switching to it in one place as of the end of
tokenize_auth_file() when inserting an item. This makes hbafuncs.c a
bit less aware of the memory context, but I think that we could live
with that with a cleaner tokenization interface. That's close to what
GUCs do, in some way. Note that this may be better as an independent
patch, actually, as it impacts the current @ inclusions.
I have noticed a bug in the logic of include_if_exists: we should
ignore only files on ENOENT, but complain for other errnos after
opening the file.
The docs and the sample files have been tweaked a bit, giving a
cleaner separation between the main record types and the inclusion
ones.
+ /* XXX: this should stick to elevel for some cases? */
+ ereport(LOG,
+ (errmsg("skipping missing authentication file \"%s\"",
+ inc_fullname)));
Should we always issue a LOG here? In some cases we use an elevel of
DEBUG3.
So, what do you think about something like the attached? I have begun
a lookup at the tests, but I don't have enough material for an actual
review of this part yet. Note that I have removed temporarily
process_included_authfile(), as I was looking at all the code branches
in details. The final result ought to include AbsoluteConfigLocation(),
open_auth_file() and tokenize_auth_file() with an extra missing_ok
argument, I guess ("strict" as proposed originally is not the usual
PG-way for ENOENT-ish problems). process_line should be used only
when we have no err_msg, meaning that these have been consumed in some
TokenizedAuthLines already.
--
Michael
Commits
-
Add TAP tests for include directives in HBA end ident files
- cbe6e482d7bf 16.0 landed
-
Introduce variables for initial and max nesting depth on configuration files
- d13b684117bd 16.0 landed
-
Add support for file inclusions in HBA and ident configuration files
- a54b658ce77b 16.0 landed
-
Add missing initialization in tokenize_expand_file() for output list
- d5566fbfeb6a 16.0 landed
-
Rework memory contexts in charge of HBA/ident tokenization
- efc981627a72 16.0 landed
-
Add error context callback when tokenizing authentication files
- ad6c52846f13 16.0 landed
-
Invent open_auth_file() in hba.c to refactor authentication file opening
- 783e8c69cbcd 16.0 landed
-
Use AbsoluteConfigLocation() when building an included path in hba.c
- 6bbd8b73857a 16.0 landed
-
Move code related to configuration files in directories to new file
- a1a7bb8f16cd 16.0 landed
-
doc: Fix some descriptions related to pg_ident_file_mappings
- 468a9f37fb69 15.1 landed
- e76502871ee3 16.0 landed
-
Add rule_number to pg_hba_file_rules and map_number to pg_ident_file_mappings
- c591300a8f54 16.0 landed
-
Refactor code handling the names of files loaded in hba.c
- 1b73d0b1c393 16.0 landed
-
Make consistent a couple of log messages when parsing HBA files
- 718fe0a14add 16.0 landed
-
Use hba_file/ident_file GUCs rather than pg_hba.conf/pg_ident.conf in logs
- 47ab1ac822cd 16.0 landed
-
Fix path reference when parsing pg_ident.conf for pg_ident_file_mappings
- 7977ac1640a7 15.0 landed
- 27e0ee57f68d 16.0 landed
-
Add system view pg_ident_file_mappings
- a2c84990bea7 15.0 landed
-
Modify query on pg_hba_file_rules to check for errors in regression tests
- 091a971bb59c 15.0 landed
-
Refactor code related to pg_hba_file_rules() into new file
- d4781d8873f8 15.0 landed