| From: | "Drouvot, Bertrand" <bertranddrouvot(dot)pg(at)gmail(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jacob Champion <jchampion(at)timescale(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf |
| Date: | 2022-10-10 07:00:06 |
| Message-ID: | e346f82f-4a6b-22f7-d6c1-cef16d472de9@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On 10/5/22 9:24 AM, Michael Paquier wrote:
> On Tue, Sep 20, 2022 at 01:33:09PM +0200, Drouvot, Bertrand wrote:
> Anyway, I have looked at the patch.
>
> + List *roles_re;
> + List *databases_re;
> + regex_t hostname_re;
> I am surprised by the approach of using separate lists for the regular
> expressions and the raw names. Wouldn't it be better to store
> everything in a single list but assign an entry type? In this case it
> would be either regex or plain string. This would minimize the
> footprint of the changes (no extra arguments *_re in the routines
> checking for a match on the roles, databases or hosts). And it seems
> to me that this would make unnecessary the use of re_num here and
> there.
Please find attached v5 addressing this. I started with an union but it
turns out that we still need the plain string when a regex is used. This
is not needed for the authentication per say but for fill_hba_line(). So
I ended up creating a new struct without union in v5.
> The hostname is different, of course, requiring only an extra
> field for its type, or something like that.
I'm using the same new struct as described above for the hostname.
>
> Perhaps the documentation would gain in clarity if there were more
> examples, like a set of comma-separated examples (mix of regex and raw
> strings for example, for all the field types that gain support for
> regexes)?
>
Right, I added more examples in v5.
> -$node->append_conf('postgresql.conf', "log_connections = on\n");
> +$node->append_conf(
> + 'postgresql.conf', qq{
> +listen_addresses = '127.0.0.1'
> +log_connections = on
> +});
> Hmm. I think that we may need to reconsider the location of the tests
> for the regexes with the host name, as the "safe" regression tests
> should not switch listen_addresses. One location where we already do
> that is src/test/ssl/, so these could be moved there.
Good point, I moved the hostname related tests in src/test/ssl.
Regards,
--
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
| Attachment | Content-Type | Size |
|---|---|---|
| v5-0001-hba_with_regexp.patch | text/plain | 25.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Drouvot, Bertrand | 2022-10-10 07:04:16 | Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf |
| Previous Message | bt22nakamorit | 2022-10-10 06:50:21 | Re: ps command does not show walsender's connected db |