Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vhvtG-00AKOX-2k for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Jan 2026 20:30:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vhvtE-00EYHO-28 for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Jan 2026 20:30:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vhvtE-00EYHF-12 for pgsql-hackers@lists.postgresql.org; Mon, 19 Jan 2026 20:30:20 +0000 Received: from mail-yw1-x112a.google.com ([2607:f8b0:4864:20::112a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vhvtC-001OWN-0o for pgsql-hackers@lists.postgresql.org; Mon, 19 Jan 2026 20:30:20 +0000 Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-7926b269f03so39757147b3.2 for ; Mon, 19 Jan 2026 12:30:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768854615; cv=none; d=google.com; s=arc-20240605; b=Cv1226qb8JifN1Z9GzqJkWE0bFBEWAjEewzJKZcejAk/2hdnVEIQP00iH9aMXU3va7 07d+0CR3vsviaDVeBCHlGBgi763Tc6JWcPFWNO5Th9ZDjA19M7FDqDzwKA6E9KZk5Qt8 9F4dfMS+zOsUIbycV9BHQaYOxN4q1eO0TaZ+RM4roKZnjl6HQ22C9u96klvWRAQNv/ba D5AsyaEMD6upxVVC+wR2Wsf8TWjF3P2KRZMk6tX6r67lCu86t3Hy+mCEkm3QiMrxGq7h 4MTFUw9A1vgDcsBfOnlR0ufSaZrMsho8zs0JONmfcJRlGyx/ciJ9970o/aCRYLPoq84F DCxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=LmNvhzZWI56pdId0yQxKzcrbocirDt7bVl+SJpLtmvY=; fh=utq5HmRv8+1Xles94LEo0c7rv/zeqANYXDrMAFeI90I=; b=Ccrh9AE3yXZ1oz3LKulQRquo18YdxrnobS0/jHh3LEAXpuIXQ/QfE1sV9TqmltcLWa qE9wf+40k8eYoz4jsVKg0us9IogigUahvwl3DfzuUZMuYtSwDT8fw7ohh8Y7ksDrAYT9 kdNqzPfSfth7dezP/4TJjs6aUmlYvf61iRsrRmiGFM5+fBaZi2JcRO2PwxkrtynZZUYF PAHYvmG/Ny1+CNYqkWmLZb8C5mbqq8WfIMbuvbc14EKcxO3JEKg5OTCEdoAjXtryzw+z qSoMzL18DfEmzw0oooWE/NZ2IiQJhisSQXAfZifmIY/hVnxZAMucnitZnO3som0qZUdF yUBg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1768854615; x=1769459415; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LmNvhzZWI56pdId0yQxKzcrbocirDt7bVl+SJpLtmvY=; b=aL/laWB/NvVvieM/UsDuQYIJMTHezetX9wVHt9YLlfUn7CEF8kfb6g7/rMHoU6ih2L WFv5JU4HqlN6SavdfEXUfSrahOxrj4FnMFUG4UDRXXyK7gwp0IHiAwCHgb9TanUA/zNP 7fZ5TQrDeWbo77ymZ/ODGFn9CrivkT74l8jUA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854615; x=1769459415; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LmNvhzZWI56pdId0yQxKzcrbocirDt7bVl+SJpLtmvY=; b=AVjs4ftEIdUsoOOcXTvJ0KP6ZVg/MHaXYDP65ncnz3exCYoIvykkDtAG5tm1/NCl+a HprM4wivTs+4PowO7AMywF5hhjXBx64Yqql1FrwEAA5n5sRH5xqUQpnctDWZ6wDAijvX 9UmE29ybZM1FPvm/LjjK5FNpQYcLoA0UoiLimt5AMT0DIst4dC3YO55uCaipqaLdBu+N ILlvRi17kwM8VAoLDTkTPzqkA6kP9vR+4V6Q98veWLjSv+TzO3uGEVA6YwPZ8VN2LsYm Kqw9JGNcARUfm1DdhzPkGuSnyGTmWJ5vrFkHXhPMhFAlfZW9dhKtPDf2vS0LtDf4ZjpV 5kLw== X-Forwarded-Encrypted: i=1; AJvYcCXZW3noJO024pcXgd3go5JO92E+AJhwdAKsJnHaFZio8ggeIEQtAPce4k5ZFx1+68ZeNSi/chxwzMwmvEJJ@lists.postgresql.org X-Gm-Message-State: AOJu0Yx+s8v8mWg/tGc8trXxeUJAOE7Qwk1rL7Ki04Bc2+vMmNsFXi7p Cid/i1iKndBjddD/FhJcOyXycwQazH+QwZVDwTRCBwHIKCXLcKXwalEgHq5cUK38KunWwkQ/k0l lC1hgFwBqJtMn8Pu6GPnF6diBNwDwpBuoYw2cbAno1pQ8jOCJwnNcd6jzz5M17qMlJYgO+sShzu PUjc1A6ShlyMSe1WlnUDtSwdhK/V4DM21qzH4bkp5rb4UNROybAyai/5QWe30RlDORm8ZENRiqj 6XyGCbX04sDMyWbmjc6VEt+xWhbjg7E5IwGuB8NWX78tX5MNB9laA5CkrX1Z4FNUYs= X-Gm-Gg: AZuq6aKnmn0uBMOXV457aaregVoWt0zCvV++A4Rh34+DiPcLIimb/r2CTkc7TdFaRig Qc2uXGKQHkxZ+3Aki/ET4FcOaD40RIQEZAMZjfuSXSX7E+co+zkNPi01HvrW6OksJf36HrbZJF1 QnhMx57Poo90VvnedEufGEUPW/4vpTqwmKSvOTtrNRq36h7qsILXAFF9KmEjzKejKZZnTb2kvuU FTqxuzIM+vR9NN6hJHX4eaWEIgaoDF0tylAfwDrFYfUZRzNds9iZh18R16nYeMAVVcdhzfRosOV dNSFXLkDPUpozBQQ30naRUlF/unknHwtS9u3bEaCStdPoZdv+Pr7hDex X-Received: by 2002:a05:690c:7092:b0:789:2e24:b786 with SMTP id 00721157ae682-793c53c1816mr223939037b3.52.1768854614920; Mon, 19 Jan 2026 12:30:14 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zsolt Parragi Date: Mon, 19 Jan 2026 20:30:04 +0000 X-Gm-Features: AZwV_Qjf0V_KddtBmOhgiCEljjPu-JJQ-hwrdIs2ujTZP1P95H4dC6J_1bsxMbs Message-ID: Subject: Re: Custom oauth validator options To: Jacob Champion Cc: VASUKI M , PostgreSQL Hackers , david.g.johnston@gmail.com, Robert Haas , myon@debian.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > I agree it could be, but is it any more confusing than if you were to > set work_mem in postgresql.conf today, and then `ALTER ROLE ALL SET > work_mem` to something completely different? I would say yes, because in the ALTER ROLE case, it's clear that a role specific setting is more specific. But I also understand this reasoning, I'll update the patch to follow this approach. > Right. This goes back to your question upthread as to why I brought > session_preload_libraries into all this -- I thought > session_preload_libraries already had handling for this, but it > doesn't. I looked into the previous idea I mentioned, about using child processes for the purpose, and got that working. * to prevent pg_hba reloads if something is invalid in it * possibly to print out a warning (or error/fatal) during postmaster startup along/instead of the connection warning * possibly to do the same during sighup The "instead of connection warning" (removing the placeholders from postmaster) part is a bit complex or limited, as the postmaster can't use dsm, and there can be any number of variables. This is again a bit of a different topic, but I could make that a proper patch from this prototype. The important part for this thread is that if you would prefer a version which completely verifies the pg_hba configuration before accepting it, it's not that difficult to implement, or at least it's not as complex as I originally imagined it. But even that won't guarantee that the configuration always remains valid, because session preload libraries can change without a server restart/reload... but that's a rare corner case, and it could be a useful check most of the time.