Re: ALTER SYSTEM for pg_hba.conf

On 04-01-2017 17:30, Tom Lane wrote:
> Simon Riggs <simon(at)2ndquadrant(dot)com> writes:
>> My next thought is ALTER SYSTEM support for pg_hba.conf, especially
>> since that would make it easier to do a formal test of Haribabu's
>> pg_hba view patch by adding each of the options one by one and then
>> juggling them.
>
> It's quite unclear from this spec what you have in mind to control the
> entry order. Also, I'd personally be -1 on inventing a pile of new SQL
> keywords for this. Why not do it with a function, instead? Or for extra
> credit, finish the pg_hba view work first and then make it an updatable
> view.
>
Even if you made the view updatable, you need a field to control the
order. It has the line_number but an specific field would be desirable
(someone could add a blank or comment line between querying the view and
typing the update command).

Also, in-place update a .conf file was something vetoed in the ALTER
SYSTEM design and I think it was a clever idea. If we decided to mix
automated and hand editing, a rewrite on every change is an easier path.
Unlike ALTER SYSTEM, I'm afraid we can't invent a pg_hba.auto.conf
because (i) order matters and (ii) it stops processing when a rule
matches. In this case, we'll limit the feature usefulness.

If we don't invent new fields in pg_hba.conf, a function could be a
solution instead of a SQL syntax. However, a new field could break
compatibility (unless we stick with a default value that could not be a
good idea in the security pov).

--
Euler Taveira Timbira - http://www.timbira.com.br/
PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento