Postgres Pro
Downloads
Home   >   mailing lists

Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf - Mailing list pgsql-hackers

From Drouvot, Bertrand
Subject Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf
Date
Msg-id e346f82f-4a6b-22f7-d6c1-cef16d472de9@gmail.com
Whole thread Raw
In response to Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf  (Michael Paquier <michael@paquier.xyz>)
Responses Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf  (Michael Paquier <michael@paquier.xyz>)
List pgsql-hackers
Tree view 
Hi,

On 10/5/22 9:24 AM, Michael Paquier wrote:
> On Tue, Sep 20, 2022 at 01:33:09PM +0200, Drouvot, Bertrand wrote:
> Anyway, I have looked at the patch.
> 
> +   List       *roles_re;
> +   List       *databases_re;
> +   regex_t    hostname_re;
> I am surprised by the approach of using separate lists for the regular
> expressions and the raw names.  Wouldn't it be better to store
> everything in a single list but assign an entry type?  In this case it
> would be either regex or plain string.  This would minimize the
> footprint of the changes (no extra arguments *_re in the routines
> checking for a match on the roles, databases or hosts).  And it seems
> to me that this would make unnecessary the use of re_num here and
> there. 

Please find attached v5 addressing this. I started with an union but it 
turns out that we still need the plain string when a regex is used. This 
is not needed for the authentication per say but for fill_hba_line(). So 
I ended up creating a new struct without union in v5.

> The hostname is different, of course, requiring only an extra
> field for its type, or something like that.

I'm using the same new struct as described above for the hostname.

> 
> Perhaps the documentation would gain in clarity if there were more
> examples, like a set of comma-separated examples (mix of regex and raw
> strings for example, for all the field types that gain support for
> regexes)?
> 

Right, I added more examples in v5.

> -$node->append_conf('postgresql.conf', "log_connections = on\n");
> +$node->append_conf(
> +    'postgresql.conf', qq{
> +listen_addresses = '127.0.0.1'
> +log_connections = on
> +});
> Hmm.  I think that we may need to reconsider the location of the tests
> for the regexes with the host name, as the "safe" regression tests
> should not switch listen_addresses.  One location where we already do
> that is src/test/ssl/, so these could be moved there. 

Good point, I moved the hostname related tests in src/test/ssl.

Regards,

-- 
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
Attachment

pgsql-hackers by date:

Previous
From: bt22nakamorit
Date:
Subject: Re: ps command does not show walsender's connected db
Next
From: "Drouvot, Bertrand"
Date:
Subject: Re: Patch proposal: make use of regular expressions for the username in pg_hba.conf