Re: Allow file inclusion in pg_hba and pg_ident files
Michael Paquier <michael@paquier.xyz>
On Wed, Nov 16, 2022 at 10:53:02AM +0800, Julien Rouhaud wrote: > While being the same inclusion infrastructure, it's likely that people will > have different usage. I'm assuming that for GUCs the main usage is to have > your automation tool put one of your template conf for instance (small_vm.conf, > big_vm.conf or something like that) in an included directory, so you don't > really need a lot of them. You can also rely on ALTER SYSTEM to avoid manually > handling configuration files entirely. > > For authentication there are probably very different pattern. The use case I > had when writing this patch is some complex application that relies on many > services, each service having dedicated role and authentication, and services > can be enabled or disabled dynamically pretty much anytime. I had to write > code to merge possibly new entries with existing pg_hba/pg_ident configuration > files. With this feature it would be much easier (and robust) to simply have a > main pg_hba/pg_ident that includes some directory, and have the service > enable/disable simply creates/removes a dedicated file for each service, and we > then would usually have at least a dozen files there. > > I'm assuming people doing multi-tenant can also have similar usage. So you main application for HBA/ident is include_dir/.. For GUCs, we would just skip the directory if it has no files, but the directory has to exist. Your patch is behaving the same. >> but that does not >> mean, it seems to me, that there should be an inconsistency in the way >> we process those commands because one has implemented a feature but >> not the other. On the contrary, I'd rather try to make them >> consistent. > > You mean stopping at the first error, even if it's only for the view reporting? > That will make the reload consistent, but the view will be a bit useless then. Yep, I meant to stop the generation of the TokenizedAuthLines at the first inclusion error by letting tokenize_auth_file() return a status to be able to stop the recursions. But after some second-thoughts pondering about this, I see why I am wrong and why you are right. As you say, stopping the generation of the TokenizedAuthLines would just limit the amount of data reported at once in the view, the golden rule for HBA/ident being that we would reload nothing as long as there is at least one error reported when parsing things. So giving more control to tokenize_auth_file() to stop a recursion, say by making it return a boolean status, makes little sense. > It would be nice to have the information that an "include_if_exists" file > didn't exist, but having a log-level message in the "error" column is a clear > POLA violation. People will probably just do something like > > SELECT file_name, line_number, error FROM pg_hba_file_rules WHERE error IS NOT > NULL; > > and report an error if any row is found. Having to parse the error field to > know if that's really an error or not is going to be a huge foot-gun. Maybe we > could indeed report the problem in err_msg but for include_if_exists display it > in some other column of the view? Hmm. One possibility would be to add a direct mention to the "include", "include_dir" and "include_if_exists" clauses through pg_hba_file_rules.type? I don't see how to do that without making the patch much more invasive as per the existing separation between tokenization and Hba/IdentLine filling, though, and perhaps the error provided with the full path to the file would provide enough context for one to know if the failure is happening on an included file for database/user lists or a full file from an "include" clause. It also means that include_if_exists remains transparent all the time. Simpler may be for the best here, at the end. By the way, I am wondering whether process_included_authfile() is the most intuitive interface here. The only thing that prevents a common routine to process the include commands is the failure on GetConfFilesInDir(), where we need to build a TokenizedAuthLine when the others have already done so tokenize_file_with_context(). Could it be cleaner to have a small routine like makeTokenizedAuthLine() that gets reused when we fail scanning a directory to build a TokenizedAuthLine, in combination with a small-ish routine working on a directory like ParseConfigDirectory() but for HBA/ident? Or we could just drop process_included_authfile() entirely? On failure, this would make the code do a next_line all the time for all the include clauses. -- Michael
Commits
-
Add TAP tests for include directives in HBA end ident files
- cbe6e482d7bf 16.0 landed
-
Introduce variables for initial and max nesting depth on configuration files
- d13b684117bd 16.0 landed
-
Add support for file inclusions in HBA and ident configuration files
- a54b658ce77b 16.0 landed
-
Add missing initialization in tokenize_expand_file() for output list
- d5566fbfeb6a 16.0 landed
-
Rework memory contexts in charge of HBA/ident tokenization
- efc981627a72 16.0 landed
-
Add error context callback when tokenizing authentication files
- ad6c52846f13 16.0 landed
-
Invent open_auth_file() in hba.c to refactor authentication file opening
- 783e8c69cbcd 16.0 landed
-
Use AbsoluteConfigLocation() when building an included path in hba.c
- 6bbd8b73857a 16.0 landed
-
Move code related to configuration files in directories to new file
- a1a7bb8f16cd 16.0 landed
-
doc: Fix some descriptions related to pg_ident_file_mappings
- 468a9f37fb69 15.1 landed
- e76502871ee3 16.0 landed
-
Add rule_number to pg_hba_file_rules and map_number to pg_ident_file_mappings
- c591300a8f54 16.0 landed
-
Refactor code handling the names of files loaded in hba.c
- 1b73d0b1c393 16.0 landed
-
Make consistent a couple of log messages when parsing HBA files
- 718fe0a14add 16.0 landed
-
Use hba_file/ident_file GUCs rather than pg_hba.conf/pg_ident.conf in logs
- 47ab1ac822cd 16.0 landed
-
Fix path reference when parsing pg_ident.conf for pg_ident_file_mappings
- 7977ac1640a7 15.0 landed
- 27e0ee57f68d 16.0 landed
-
Add system view pg_ident_file_mappings
- a2c84990bea7 15.0 landed
-
Modify query on pg_hba_file_rules to check for errors in regression tests
- 091a971bb59c 15.0 landed
-
Refactor code related to pg_hba_file_rules() into new file
- d4781d8873f8 15.0 landed