Hi hackers,
Attached is a patch proposal to allow the use of regular expressions for
the username in pg_hba.conf.
Using regular expressions for the username in the pg_hba.conf file is
convenient in situations where an organization has a large number of
users and needs an expressive way to map them.
For example, if an organization wants to allow gss connections only for
users having their principal, e.g. @BDTFOREST.LOCAL, they could make use
of an entry in pg_hba.conf such as:
host all /^.*@BDTFOREST.LOCAL$ 0.0.0.0/0 gss
Without this patch, I can think of three alternatives with existing
functionality, which all of tradeoffs. This includes:
1) Create an entry per user: this is challenging for organizations
managing large numbers of users (e.g. 1000s). This is also not dynamic,
i.e. the HBA file would need to be updated when users are added or removed.
2) Use a mapping in pg_ident.conf, for example:
Here is an entry in pg_hba.conf that uses a map:
host all all 0.0.0.0/0 gss map=mygssmap
and by defining this mapping in pg_ident.conf:
mygssmap /^(.*)@BDTFOREST\.LOCAL$ \1@BDTFOREST.LOCAL
That works for filtering the username.
LOG: connection authenticated: identity="bertrand@BDTFOREST.LOCAL"
method=gss (/pg_installed/data/pg_hba.conf:95)
$ grep -n mygssmap /pg_installed/data/pg_hba.conf
95:host all all 0.0.0.0/0 gss map=mygssmap
However, the behavior is not the same for the ones that don’t match the
mapping in pg_ident.conf: indeed the connection attempt stop here and
the next HBA line won’t be evaluated.
FATAL: GSSAPI authentication failed for user "bdt"
DETAIL: Connection matched pg_hba.conf line 95: "host all
all 0.0.0.0/0 gss map=mygssmap"
3) Make use of a role in pg_hba.conf, e.g. “+BDTONLY”. That would work
too, and also allow the evaluation of the next HBA line for the ones
that are not part of the role.
However:
- That’s not as dynamic as the regular expression, as new users
would need to be granted the role and some users who are moving in the
company may need to have the role revoked.
- Looking at the regular expression in the HBA file makes it clear
what filtering needs to be done. This is not obvious when looking at the
role, even if it has a meaningful name. This can generate “incorrect
filtering” should one user be granted the role by mistake, or make it
more difficult to debug why a user is not being matched to a particular
line in the HBA file.
This is why I think username filtering with regular expressions would
provide its own advantages.
Thoughts? Looking forward to your feedback,
Regards,
--
Bertrand Drouvot
Amazon Web Services: https://aws.amazon.com