Обсуждение: Add annotation syntax to pg_hba.conf entries
Hi, I'm opening this thread after a brief discussion regarding a potential new syntax to enable annotations in pg_hba entries. [1] This feature mainly aims to annotate pg_hba entries in a way that the annotations can be parsed and displayed in the pg_hba_file_rule view for reporting purposes. For instance, these annotations could contain information like tags, client (application) names or any relevant info regarding the granted access. Initially I explored the possibility of using the inline comments after a '#', but there were a few valid concerns to this approach [2] hostssl db jim 127.0.0.1/32 cert map=foo # comment I had previously thought of introducing a new character do identify such annotations, e.g [] ... but the necessary changes in the hba.c to add this feature could add too much complexity to the code. [3] Perhaps a "less controversial" option would be to add a new variable, just like with user name maps. hostssl db jim 127.0.0.1/32 cert map=foo annotation=comment hostssl db jim 127.0.0.1/32 cert map=bar annotation="comment" Any thoughts? Thanks! Jim 1- https://www.postgresql.org/message-id/flat/4d623899-36ac-71b5-311d-2a4672d75736@uni-muenster.de 2- https://www.postgresql.org/message-id/E543222B-DE8D-4116-BA67-3C2D3FA83110%40yesql.se 3- https://www.postgresql.org/message-id/flat/ZPHAiNp%2ByKMsa/vc%40paquier.xyz#05a8405be272342037538ee432d92884
On Wed, Oct 4, 2023 at 4:06 PM Jim Jones <jim.jones@uni-muenster.de> wrote: > Any thoughts? You're probably not going to like this answer very much, but this doesn't seem particularly worthwhile to me. If somebody needs to document why they did something in pg_hba.conf, they can already put a comment in the file to explain that. Or they can track the reasons for what's in the file using some completely external system, like a Google document or a git repository or whatever. The argument for this feature is not that this information needs to exist, but that it needs to be queryable from within PostgreSQL. And I guess I just wonder if that is something that users in general want. It's not a terrible idea or anything, but it would be sad if we added such a feature and you were the only one who ever used it... and if a bunch of people now show up and say "actually, this would be great, I would totally like to have that," well, then, forget I said anything. -- Robert Haas EDB: http://www.enterprisedb.com
Robert Haas <robertmhaas@gmail.com> writes:
> You're probably not going to like this answer very much, but this
> doesn't seem particularly worthwhile to me.
Yeah, I was unconvinced about the number of use-cases too.
As you say, some support from other potential users could convince
me otherwise, but right now the evidence seems thin.
> The argument for this
> feature is not that this information needs to exist, but that it needs
> to be queryable from within PostgreSQL.
Not only that, but that it needs to be accessible via the
pg_hba_file_rules view. Superusers could already see the
pg_hba file's contents via pg_read_file().
Again, that's not an argument that this is a bad idea.
But it's an answer that would likely satisfy some fraction
of whatever potential users are out there, which makes the
question of how many use-cases really exist even more
pressing.
regards, tom lane
Hi Robert, Hi Tom, Thanks for the feedback! On 05.10.23 00:55, Tom Lane wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> You're probably not going to like this answer very much, but this >> doesn't seem particularly worthwhile to me. > Yeah, I was unconvinced about the number of use-cases too. > As you say, some support from other potential users could convince > me otherwise, but right now the evidence seems thin. Most likely I am one of the very few using comments to sort of semantically annotate pg_hba entries :) >> The argument for this >> feature is not that this information needs to exist, but that it needs >> to be queryable from within PostgreSQL. > Not only that, but that it needs to be accessible via the > pg_hba_file_rules view. Superusers could already see the > pg_hba file's contents via pg_read_file(). That's my current strategy. I will keep doing that :) > Again, that's not an argument that this is a bad idea. > But it's an answer that would likely satisfy some fraction > of whatever potential users are out there, which makes the > question of how many use-cases really exist even more > pressing. > > regards, tom lane I'll withdraw the CF entry, since the feature didn't seem to resonate with other users. Thanks again for the feedback. Best, Jim