Re: Allow file inclusion in pg_hba and pg_ident files

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Julien Rouhaud <rjuju123@gmail.com>
Cc: Aleksander Alekseev <aleksander@timescale.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Nathan Bossart <nathandbossart@gmail.com>
Date: 2022-03-28T08:02:14Z
Lists: pgsql-hackers
On Mon, Mar 28, 2022 at 03:43:41PM +0800, Julien Rouhaud wrote:
> On Mon, Mar 28, 2022 at 04:20:07PM +0900, Michael Paquier wrote:
>> We could use a failure path for each psql command rather than a SKIP
>> block, as you told me, if the psql fails and check that we get some
>> error strings related to the loading of auth files.  However, I am
>> scared of this design in the long-term as it could cause the tests to
>> pass with a failure triggered on platforms and/or configurations where
>> we should have a success.  So, I am tempted to drop the ball for now
>> with the TAP part.
> 
> Ok.  We could still keep the tests for the valid lines part though?

With the SQLs modified as below, this part is less interesting.

>> The patch still has value for the end-user.  I have checked the
>> backend part, and I did not notice any obvious issue.  There is one
>> thing that I am wondering though: should we change the two queries in
>> sysviews.sql so as we check that there are zero errors in the two
>> views when the files are parsed?  This simple change would avoid
>> mistakes for users running installcheck on a production installation.
> 
> Do you mean something like
> 
> SELECT count(*) > 0 AS ok,
>        count(*) FILTER (WHERE error IS NOT NULL) = 0 AS has_no_error
> FROM pg_hba_file_rules ;
> 
> and similar for pg_ident_rule_mappings?

Something like that, yes.
--
Michael

Commits

  1. Add TAP tests for include directives in HBA end ident files

  2. Introduce variables for initial and max nesting depth on configuration files

  3. Add support for file inclusions in HBA and ident configuration files

  4. Add missing initialization in tokenize_expand_file() for output list

  5. Rework memory contexts in charge of HBA/ident tokenization

  6. Add error context callback when tokenizing authentication files

  7. Invent open_auth_file() in hba.c to refactor authentication file opening

  8. Use AbsoluteConfigLocation() when building an included path in hba.c

  9. Move code related to configuration files in directories to new file

  10. doc: Fix some descriptions related to pg_ident_file_mappings

  11. Add rule_number to pg_hba_file_rules and map_number to pg_ident_file_mappings

  12. Refactor code handling the names of files loaded in hba.c

  13. Make consistent a couple of log messages when parsing HBA files

  14. Use hba_file/ident_file GUCs rather than pg_hba.conf/pg_ident.conf in logs

  15. Fix path reference when parsing pg_ident.conf for pg_ident_file_mappings

  16. Add system view pg_ident_file_mappings

  17. Modify query on pg_hba_file_rules to check for errors in regression tests

  18. Refactor code related to pg_hba_file_rules() into new file