| From: | Greg Stark <stark(at)mit(dot)edu> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, "Prabakaran, Vaishnavi" <vaishnavip(at)fast(dot)au(dot)fujitsu(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Jaime Casanova <jaime(at)2ndquadrant(dot)com> |
| Subject: | Re: Providing catalog view to pg_hba.conf file - Patch submission |
| Date: | 2015-03-11 17:32:23 |
| Message-ID: | CAM-w4HMj69+f_aLRpJT+37598dz2eGFG3ge4=-4qt_dwtNh=nw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Mar 6, 2015 at 3:11 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> The point is, it should be one or the other (or both), not something in
> the middle.
>
> It's either a textual representation of the file or a semantic one. If
> it's the latter, then all user names, group names, and special key words
> need to be resolved in some way that they cannot be confused with
> unfortunately named user names. And there needs to be a way that we can
> add more in the future.
>
I think what we have here is already a good semantic representation. It
doesn't handle all the corner cases but those corner cases are a) very
unlikely and b) easy to check for. A tool can check for any users starting
with + or named "all" or any databases called "sameuser" or "samerole". If
they exist then the view isn't good enough to reconstruct the raw file. But
they're very unlikely to exist, I've never heard of anyone with such things
and can't imagine why someone would make them.
The view as is is useful for everyone. Someone who wants to write a tool
can reconstruct the file as long as none of the problematic names exist in
the database. Someone who wants to run audits can run queries to see what
users have access to or check the permissions on a database and do simple
comparisons to check for whatever they want to check for.
If we change it to be 100% unambiguous then it will be cumbersome to work
with. The view will have 5 columns instead of 2 dedicated to users and
databases. It will be much harder for humans to read, and for people
writing code they'll have to check three columns for matches. It just seems
like a lot of busywork to make it less useful.
Attached are two copies of the view, one as is today and one with the
keywords and recursive elements broken out.
Also, fwiw as far as adding more in the future -- breaking the keywords out
into a separate column wouldn't interfere with that but if we want to
include any additional syntax like + then it will require additional
columns. That would actually be less flexible for future changes.
I'm inclined to commit this as is.
--
greg
| Attachment | Content-Type | Size |
|---|---|---|
| pg_hba_settings.txt | text/plain | 19.7 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2015-03-11 18:37:17 | Re: improve pgbench syntax error messages |
| Previous Message | Tom Lane | 2015-03-11 17:24:28 | Re: Precedence of standard comparison operators |