Re: [PATCH] Add inline comments to the pg_hba_file_rules view
| От | Jim Jones |
|---|---|
| Тема | Re: [PATCH] Add inline comments to the pg_hba_file_rules view |
| Дата | |
| Msg-id | 39262770-a13e-3639-ea91-cd1a338ec589@uni-muenster.de обсуждение исходный текст |
| Ответ на | Re: [PATCH] Add inline comments to the pg_hba_file_rules view (Peter Eisentraut <peter@eisentraut.org>) |
| Ответы |
Re: [PATCH] Add inline comments to the pg_hba_file_rules view
|
| Список | pgsql-hackers |
Hi! On 26.09.23 15:19, Peter Eisentraut wrote: > On 04.09.23 11:54, Jim Jones wrote: >> This patch proposes the column "comment" to the pg_hba_file_rules >> view. It basically parses the inline comment (if any) of a valid >> pg_hba.conf entry and displays it in the new column. >> >> For such pg_hba entries ... >> >> host db jim 127.0.0.1/32 md5 # foo >> host db jim 127.0.0.1/32 md5 #bar >> host db jim 127.0.0.1/32 md5 # #foo# > > I'm skeptical about this. > > First, there are multiple commenting styles. The end-of-line style is > less common in my experience, because pg_hba.conf lines tend to > belong. Another style is > > # foo > host db jim 127.0.0.1/32 md5 > # bar > host db jim 127.0.0.1/32 md5 > > or even as a block > > # foo and bar > host db jim 127.0.0.1/32 md5 > host db jim 127.0.0.1/32 md5 > > Another potential problem is that maybe people don't want their > comments leaked out of the file. Who knows what they have written in > there. I also considered this for a while. That's why I suggested only inline comments. On a second thought, I agree that making only certain types of comments "accessible" by the pg_hba_file_rules view can be misleading and can possibly leak sensible info if misused. > > I think we should leave file comments be file comments. If we want > some annotations to be exported to higher-level views, we should make > that an intentional and explicit separate feature. My first suggestion [1] was to use a different character (other than '#'), but a good point was made, that it would add more complexity to the hba.c, which is already complex enough. My main motivation with this feature is to be able to annotate pg_hba entries in a way that it can be read using the pg_hba_file_rule via SQL - these annotations might contain information like tags, client (application) names or any relevant info regarding the granted access. This info would help me to generate some reports that contain client access information. I can sort of achieve something similar using pg_read_file(),[2] but I thought it would be nice to have it directly from the view. Do you think that this feature is in general not a good idea? Or perhaps a different annotation method would address your concerns? Thank you very much for taking a look into it! Jim 1- https://www.postgresql.org/message-id/flat/3fec6550-93b0-b542-b203-b0054aaee83b@uni-muenster.de 2- https://www.postgresql.org/message-id/b63625ca-580f-14dc-7e7c-f90cd4d95cf7%40uni-muenster.de
В списке pgsql-hackers по дате отправления: