Re: Allow file inclusion in pg_hba and pg_ident files - Mailing list pgsql-hackers
From | Michael Paquier |
---|---|
Subject | Re: Allow file inclusion in pg_hba and pg_ident files |
Date | |
Msg-id | YkFhpydhyeNNo3Xl@paquier.xyz Whole thread Raw |
In response to | Re: Allow file inclusion in pg_hba and pg_ident files (Julien Rouhaud <rjuju123@gmail.com>) |
Responses |
Re: Allow file inclusion in pg_hba and pg_ident files
Re: Allow file inclusion in pg_hba and pg_ident files |
List | pgsql-hackers |
On Sun, Mar 27, 2022 at 05:52:22PM +0800, Julien Rouhaud wrote: > I didn't like the various suggestions, as it would mean to scatter the tests > all over the place. The whole point of those views is indeed to check the > current content of a file without applying the configuration change (not on > Windows or EXEC_BACKEND, but there's nothing we can do there), so let's use > this way. I added a naive src/test/authentication/003_hba_ident_views.pl test > that validates that specific new valid and invalid lines in both files are > correctly reported. Note that I didn't update those tests for the file > inclusion. I see. The tests ought to be more extensive though, as hba.c checks for multiple or missing fields for a varying number of expecting parameters. Here are the patterns that would cover most of the failures of the backend. For hba.conf: +host +host incorrect_db +host incorrect_db incorrect_user +host incorrect_db incorrect_user incorrect_host For pg_ident.conf: +# Error with incomplete lines. +incorrect_map +incorrect_map os_user +# Errors with lines that have multiple values, for each field. +incorrect_map_1,incorrect_map_2 +incorrect_map os_user_1,os_user_2 +incorrect_map os_user pg_role_1,pg_role_2 Then I was thinking about doing full scan of each view and could the expected errors with some GROUP BY magic. See the attached, for reference, but it would fail with EXEC_BACKEND on WIN32. > Note that those tests fail on Windows (and I'm assuming on EXEC_BACKEND > builds), as they're testing invalid files which by definition prevent any > further connection attempt. I'm not sure what would be best to do here, apart > from bypassing the invalid config tests on such platforms. I don't think that > validating that trying to connect on such platforms when an invalid > pg_hba/pg_ident file brings anything. Hmm, indeed. I have been looking at that and that's annoying. As you mentioned off-list, in order to know if a build has an emulation of fork() that would avoid failures with new connection attempts after including some dummy entries in pg_hba.conf or pg_ident.conf, we'd need to look at EXEC_BACKEND (well, mostly), as of: - CFLAGS in pg_config, or a query on pg_config() (does not work with MSVC as CFLAGS is not set there). - A potential check on pg_config{_manual}.h. - Perhaps an extra dependency on $windows_os, discarding incorrectly cygwin that should be able to work. We could use a failure path for each psql command rather than a SKIP block, as you told me, if the psql fails and check that we get some error strings related to the loading of auth files. However, I am scared of this design in the long-term as it could cause the tests to pass with a failure triggered on platforms and/or configurations where we should have a success. So, I am tempted to drop the ball for now with the TAP part. The patch still has value for the end-user. I have checked the backend part, and I did not notice any obvious issue. There is one thing that I am wondering though: should we change the two queries in sysviews.sql so as we check that there are zero errors in the two views when the files are parsed? This simple change would avoid mistakes for users running installcheck on a production installation. -- Michael
Attachment
pgsql-hackers by date: