Patch proposal: make use of regular expressions for the username in pg_hba.conf

Hi hackers,

Attached is a patch proposal to allow the use of regular expressions for 
the username in pg_hba.conf.

Using regular expressions for the username in the pg_hba.conf file is 
convenient in situations where an organization has a large number of 
users and needs an expressive way to map them.

For example, if an organization wants to allow gss connections only for 
users having their principal, e.g. @BDTFOREST.LOCAL, they could make use 
of an entry in pg_hba.conf such as:

host all /^.*@BDTFOREST.LOCAL$ 0.0.0.0/0 gss

Without this patch, I can think of three alternatives with existing 
functionality, which all of tradeoffs. This includes:

1) Create an entry per user: this is challenging for organizations 
managing large numbers of users (e.g. 1000s). This is also not dynamic, 
i.e. the HBA file would need to be updated when users are added or removed.

2) Use a mapping in pg_ident.conf, for example:

Here is an entry in pg_hba.conf that uses a map:

host all all 0.0.0.0/0 gss map=mygssmap

and by defining this mapping in pg_ident.conf:

mygssmap /^(.*)@BDTFOREST\.LOCAL$ \1@BDTFOREST.LOCAL

That works for filtering the username.

LOG:  connection authenticated: identity="bertrand@BDTFOREST.LOCAL" 
method=gss (/pg_installed/data/pg_hba.conf:95)
$ grep -n mygssmap /pg_installed/data/pg_hba.conf
95:host    all             all  0.0.0.0/0  gss map=mygssmap

However, the behavior is not the same for the ones that don’t match the 
mapping in pg_ident.conf: indeed the connection attempt stop here and 
the next HBA line won’t be evaluated.

FATAL:  GSSAPI authentication failed for user "bdt"
DETAIL:  Connection matched pg_hba.conf line 95: "host all             
all  0.0.0.0/0  gss map=mygssmap"

3) Make use of a role in pg_hba.conf, e.g. “+BDTONLY”. That would work 
too, and also allow the evaluation of the next HBA line for the ones 
that are not part of the role.

However:

     - That’s not as dynamic as the regular expression, as new users 
would need to be granted the role and some users who are moving in the 
company may need to have the role revoked.
     - Looking at the regular expression in the HBA file makes it clear 
what filtering needs to be done. This is not obvious when looking at the 
role, even if it has a meaningful name. This can generate “incorrect 
filtering” should one user be granted the role by mistake, or make it 
more difficult to debug why a user is not being matched to a particular 
line in the HBA file.

This is why I think username filtering with regular expressions would 
provide its own advantages.

Thoughts? Looking forward to your feedback,

Regards,

-- 
Bertrand Drouvot
Amazon Web Services: https://aws.amazon.com