On 5/22/23 4:18 PM, Robert Haas wrote:
On Sun, May 21, 2023 at 3:05 PM Jonathan S. Katz <jk...@postgresql.org> wrote:* Support for regular expressions for matching usernames and databases names in `pg_hba.conf`, and user names in `pg_ident.conf`I suggest that this is not a major feature. Perhaps the work that I did to improve CREATEROLE could be considered for inclusion in the major features list. In previous releases, someone with CREATEROLE can hack the PG OS account. Now they can't. In previous releases, someone with CREATEROLE can manage all non-superuser roles, but now they can manage the roles they create (or ones they are given explicit authority to manage). You can even control whether or not such users automatically inherit the privileges of roles they create, as superusers inherit all privileges. There is certainly some argument that this is not a sufficiently significant set of changes to justify a major feature mention, and even if it is, it's not clear to me exactly how it would be best worded. And yet I feel like it's very likely that if we look back on this release in 3 years, those changes will have had a significant impact on many PostgreSQL deployments, above all in the cloud, whereas I think it likely that the ability to have regular expressions in pg_hba.conf and pg_ident.conf will have had very little effect by comparison. Of course, there is always a possibility that I'm over-estimating the impact of my own work.
In general, I'm completely fine with people advocating for their own features during this process, in case there's something that I missed.
For this case, while I think this work is very impactful, but I don't know if I'd call it a major feature vs. modifying an unintended behavior. Additionally, folks have likely put mitigations in place for this through the years. I'm happy to be convinced otherwise.
The regular expressions in the files adds an ability that both we didn't have before, and has been a request I've heard from users with very large deployments. For them, it'll help simplify a lot of their configurations/automations for setting this up en masse. Again, I'm happy to be convinced otherwise.
I wanted to use the beta release to allow for us to see 1/ how people ultimately test these things and 2/ help better sift out what will be called a major feature. We could end up shuffling items in the list or completely rewriting it, so it's not set in stone.
Thanks, Jonathan
OpenPGP_signature
Description: OpenPGP digital signature
