On 1/29/15 9:13 PM, Amit Kapila wrote:
> Aside from Tom's concern about sets not being a good way to handle
this (which I agree with), the idea of "editing" pg_hba.conf via SQL
raises all the problems that were brought up when ALTER SYSTEM was being
developed. One of the big problems is a question of how you can safely
modify a text file that's full of comments and what-not. You'd need to
address those issues if you hope to modify pg_hba.conf via SQL.
>
I think the big problem you are mentioning can be resolved in
a similar way as we have done for ALTER SYSTEM which is
to have a separate file (.auto.conf) for settings done via
ALTER SYSTEM command, do you see any major problem
with that approach.
Yes I do. pg_hba.conf is completely depending on ordering, so there's no
way you can simply toss another file into the mix. It's bad enough that
we do that with postgresql.auto.conf, but at least that's a simple
over-ride. With HBA a single ALTER SYSTEM could activate (or deactivate)
a huge swath of pg_hba.conf. That makes for a system that's fragile, and
since it's security related, dangerous.
I could maybe see an interface where we allowed users to perform
line-level operations on pg_hba.conf via SQL: UPDATE line X, INSERT
BEFORE/AFTER line X, DELETE line X. At least that would preserve the
critical nature of rules ordering.
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
