Re: [PATCH] Add inline comments to the pg_hba_file_rules view

Поиск
Список
Период
Сортировка
От Jim Jones
Тема Re: [PATCH] Add inline comments to the pg_hba_file_rules view
Дата
Msg-id 39262770-a13e-3639-ea91-cd1a338ec589@uni-muenster.de
обсуждение исходный текст
Ответ на Re: [PATCH] Add inline comments to the pg_hba_file_rules view  (Peter Eisentraut <peter@eisentraut.org>)
Ответы Re: [PATCH] Add inline comments to the pg_hba_file_rules view
Список pgsql-hackers
Дерево обсуждения 
Hi!

On 26.09.23 15:19, Peter Eisentraut wrote:
> On 04.09.23 11:54, Jim Jones wrote:
>> This patch proposes the column "comment" to the pg_hba_file_rules 
>> view. It basically parses the inline comment (if any) of a valid 
>> pg_hba.conf entry and displays it in the new column.
>>
>> For such pg_hba entries ...
>>
>> host db jim 127.0.0.1/32 md5 # foo
>> host db jim 127.0.0.1/32 md5 #bar
>> host db jim 127.0.0.1/32 md5 #     #foo#
>
> I'm skeptical about this.
>
> First, there are multiple commenting styles.  The end-of-line style is 
> less common in my experience, because pg_hba.conf lines tend to 
> belong. Another style is
>
> # foo
> host db jim 127.0.0.1/32 md5
> # bar
> host db jim 127.0.0.1/32 md5
>
> or even as a block
>
> # foo and bar
> host db jim 127.0.0.1/32 md5
> host db jim 127.0.0.1/32 md5
>
> Another potential problem is that maybe people don't want their 
> comments leaked out of the file.  Who knows what they have written in 
> there.

I also considered this for a while. That's why I suggested only inline 
comments. On a second thought, I agree that making only certain types of 
comments "accessible" by the pg_hba_file_rules view can be misleading 
and can possibly leak sensible info if misused.

>
> I think we should leave file comments be file comments.  If we want 
> some annotations to be exported to higher-level views, we should make 
> that an intentional and explicit separate feature.

My first suggestion [1] was to use a different character (other than 
'#'), but a good point was made, that it would add more complexity to 
the hba.c, which is already complex enough.
My main motivation with this feature is to be able to annotate pg_hba 
entries in a way that it can be read using the pg_hba_file_rule via SQL 
- these annotations might contain information like tags, client 
(application) names or any relevant info regarding the granted access. 
This info would help me to generate some reports that contain client 
access information. I can sort of achieve something similar using 
pg_read_file(),[2] but I thought it would be nice to have it directly 
from the view.

Do you think that this feature is in general not a good idea? Or perhaps 
a different annotation method would address your concerns?

Thank you very much for taking a look into it!
Jim



1- 
https://www.postgresql.org/message-id/flat/3fec6550-93b0-b542-b203-b0054aaee83b@uni-muenster.de
2- 
https://www.postgresql.org/message-id/b63625ca-580f-14dc-7e7c-f90cd4d95cf7%40uni-muenster.de

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: [PGdocs] fix description for handling pf non-ASCII characters
Следующее
От: Jeff Davis
Дата:
Сообщение: Re: Is this a problem in GenericXLogFinish()?