On Mon, Mar 23, 2026 at 2:45 PM Zsolt Parragi <[email protected]> wrote: > This is my only concern with this patch: since we have a list > separated validatr names as a GUC already, couldn't we require a > <validator_name>. prefix instead of the fixed "validator.", to keep > the hba configuration consistent with gucs?
Well, the `validator.` prefix lets us end-run the namespace issue [1]. It's one thing if I claim that single prefix in parse_hba_auth_opt(); it's another thing if I camp out on literally every identifier containing a dot. I'm also not convinced that it's worth spending additional code here to decide _which_ of the blessed validators is in force for the current line. (Deferring the check of the option names is bad enough, but there appears to be no way around that.) > Validators would still have to handle these options differently, but > at least it would look consistent from the user perspective - global > setting in postgresql.conf, same hba-line specific override in > pg_hba.conf. (also, validators already added global GUCs in pg18, and > this would also keep it consistent with that) After the wild goose chase I sent you on, I think consistency-in-form-but-not-function is more likely to be a liability than a benefit. Sure, validator authors will be able to pretend that users can override particular GUCs per-line, but that's not what's actually happening, so that could increase user confusion and support burden for very little practical upside. (As one example, `SHOW my_validator.setting` isn't going to behave intuitively.) Since my pitch here is "this is an architectural dead end, but it'll get us moving while we pursue the better route," I prefer something that's very obviously bespoke. Especially since validators will have to migrate from the old way to the new way, if we get our wish. I don't really want anyone to spend time resolving the collision of the two behaviors; I'd rather just let the old ugly configuration solution wither (or die), and encourage everyone to switch as rapidly as possible. > + REQUIRE_AUTH_OPTION(uaOAuth, name, "oauth"); > > Shouldn't this check go before the name validation? Yeah, I agree. (My original code had a more generic error message when the name check failed, but now that the message is OAuth-specific, I don't think it makes sense to pretend that it could belong to any other auth method.) Thanks! --Jacob [1] https://postgr.es/m/CAOYmi%2Bn9%2BVDNayxsZuG30YLxOXrVB2Wu%3DjBR4WrEdJvxjTATKw%40mail.gmail.com
