-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
community.postgresql.pg_hba
can bring a pg_hba.conf into an unmanageable state.
#705
Comments
Hmm, I've been looking at this a bit. There is a clean way to handle this, which requires a bit more work: I guess based off of the spec in the hba documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html , we could add a simple two-step validation for the rule key values:
This would slot in right there: https://github.com/ansible-collections/community.postgresql/blob/main/plugins/modules/postgresql_pg_hba.py#L803 In that case, this split also has to be extended to handle quoted values, which isn't a big deal: Alternatively, we could just disallow spaces in rule values. I'm fine setting up either. |
Hi @Tetha, thanks for pointing that out. The parsing/serialization done by the |
@betanummeric do you suggest to use lark or a similar library? Or should we parse it with regexes? |
Hi @toydarian, I didn't know about lark. Do you have experience with that? Adding any new library has these drawbacks:
Of course implementing the parsing on our own (with regexes) may not be perfect either. That can get complex to write and maintain and contain bugs as well. I would prefer trying to extend the already-existing custom parsing to fix the known bugs and see how complex that gets, before trying with a new dependency. |
SUMMARY
Moin,
the plugin
community.postgresql.pg_hba
is able to bring a pg_hba file into a state it cannot modify again. This then requires some manual cleanup, and results in a bunch of rather confusing error messages.For the record, I've setup a separate ansible installation for this reproduction so I could check this issue with the latest ansible and latest community.postgresql. Hence why I have to wrestle a bit with environment variables in places.
ISSUE TYPE
COMPONENT NAME
community.postgresql.postgresql_pg_hba
ANSIBLE VERSION
We also see this behavior with ansible
2.13
.COLLECTION VERSION
We've also encountered this with version
2.2.0
CONFIGURATION
OS / ENVIRONMENT
This is an up-to-date Ubuntu 22.04 Jammy running python 3.10.
STEPS TO REPRODUCE
I've included a simple playbook here. This playbook crashes in the second task upon the first run, and afterwards it crashes in the first task, too. Most modifications of the pg_hba now fail.
Naturally, no one would write such a user manually, but this occured when mis-handling a loop and wrote pretty much the sample user content into the pg_hba.conf
EXPECTED RESULTS
I would expect the first
pg_hba
invocation to error out, because it would lead to the file being unmanageable by the plugin, I think. Especially because this also prevents postgres from loading this file, so it's not ideal to have this config in such a state.ACTUAL RESULTS
The first run with a valid or without an existing
pg_hba.conf
looks like this:and results in a pg_hba.conf like this:
A second ansible run after this crashes in the first
pg_hba
invocation:The text was updated successfully, but these errors were encountered: