Re: [PATCH] Add inline comments to the pg_hba_file_rules view

Tue, 26 Sep 2023 11:41:11 -0700 

Hi!

On 26.09.23 15:19, Peter Eisentraut wrote:

On 04.09.23 11:54, Jim Jones wrote:
This patch proposes the column "comment" to the pg_hba_file_rules view. It basically parses the inline comment (if any) of a valid pg_hba.conf entry and displays it in the new column. 

For such pg_hba entries ...

host db jim 127.0.0.1/32 md5 # foo
host db jim 127.0.0.1/32 md5 #bar
host db jim 127.0.0.1/32 md5 #     #foo#


I'm skeptical about this.


First, there are multiple commenting styles.  The end-of-line style is 
less common in my experience, because pg_hba.conf lines tend to 
belong. Another style is


# foo
host db jim 127.0.0.1/32 md5
# bar
host db jim 127.0.0.1/32 md5

or even as a block

# foo and bar
host db jim 127.0.0.1/32 md5
host db jim 127.0.0.1/32 md5


Another potential problem is that maybe people don't want their 
comments leaked out of the file.  Who knows what they have written in 
there.



I also considered this for a while. That's why I suggested only inline 
comments. On a second thought, I agree that making only certain types of 
comments "accessible" by the pg_hba_file_rules view can be misleading 
and can possibly leak sensible info if misused.





I think we should leave file comments be file comments.  If we want 
some annotations to be exported to higher-level views, we should make 
that an intentional and explicit separate feature.



My first suggestion [1] was to use a different character (other than 
'#'), but a good point was made, that it would add more complexity to 
the hba.c, which is already complex enough.
My main motivation with this feature is to be able to annotate pg_hba 
entries in a way that it can be read using the pg_hba_file_rule via SQL 
- these annotations might contain information like tags, client 
(application) names or any relevant info regarding the granted access. 
This info would help me to generate some reports that contain client 
access information. I can sort of achieve something similar using 
pg_read_file(),[2] but I thought it would be nice to have it directly 
from the view.



Do you think that this feature is in general not a good idea? Or perhaps 
a different annotation method would address your concerns?


Thank you very much for taking a look into it!
Jim




1- 
https://www.postgresql.org/message-id/flat/3fec6550-93b0-b542-b203-b0054aaee...@uni-muenster.de
2- 
https://www.postgresql.org/message-id/b63625ca-580f-14dc-7e7c-f90cd4d95cf7%40uni-muenster.de


























					Reply via email to