Re: Allow file inclusion in pg_hba and pg_ident files

On Wed, Oct 26, 2022 at 11:32:14PM +0800, Julien Rouhaud wrote:
> I don't mind taking care of that, but before doing so I'd like to have some
> feedback on whether you're ok with my approach (per my initial email about it
> at [1]) or if you had some different
> ideas on how to do it.

Putting things afresh, there are two different things here (sorry I
need to see that typed ;p):
1) How do we want to check reliably the loading of the HBA and ident
files on errors? EXEC_BACKEND would reload an entire new thing for
each connection, hence we need some loops to go through that.
2) How to check the contents of pg_hba_file_rules and
pg_ident_file_mappings?

There is a dependency between 1) and 2) once we try to check for error
patterns in pg_hba_file_rules, because connections would just not
happen. This is not the case for pg_ident_file_mappings though, so we
could still test for buggy patterns in pg_ident.conf (or any of its
included parts) with some expected content of
pg_ident_file_mappings.error after a successful connection.

Hmm. And what if we just gave up on the checks for error patterns in
pg_hba_file_rules? One thing that we could do for this part is to
include all the buggy patterns we want to check at once in pg_hba.conf
in its included portions, then scan for all the logs produced after
attempting to start a server as the loading of pg_hba.conf would
produce one LOG line with its CONTEXT for each buggy entry. The patch
checks for error patterns with generate_log_err_rows(), but it looks
like it would make the part 3 of the new test cleaner and easier to
maintain in the long-term.
--
Michael