Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vgZ3Y-00FSRo-14
	for pgsql-hackers@arkaria.postgresql.org;
	Fri, 16 Jan 2026 01:55:21 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1vgZ2W-0000v4-2u
	for pgsql-hackers@arkaria.postgresql.org;
	Fri, 16 Jan 2026 01:54:17 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vgZ2W-0000uv-1m
	for pgsql-hackers@lists.postgresql.org;
	Fri, 16 Jan 2026 01:54:16 +0000
Received: from mail-qt1-x82e.google.com ([2607:f8b0:4864:20::82e])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1vgZ2T-000jUB-37
	for pgsql-hackers@lists.postgresql.org;
	Fri, 16 Jan 2026 01:54:15 +0000
Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-50150bc7731so23796861cf.1
        for <pgsql-hackers@lists.postgresql.org>; Thu, 15 Jan 2026 17:54:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1768528451; x=1769133251; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zJ49/7CuxTTj8q4vuKBqPAFR4YFcgub1l+rWesXbfXQ=;
        b=aR23mQulfOWG5D6bjJOiaxwa034aBT3BTldocCP4LWwjGkYaZ9jxkMwpbImDFvo+f4
         3RWEWPigIx2wSWh5EjazsAnsMK+7ht8pLRbcSwvzEsYru6vNcIkiHcg+S8eQ2e8zWe4q
         PY9YZdNndGX1EYGriTJs+4tMVSL07YxjOZHfGol5aSglD6juHwiYE1xwCsc0J+V0OK3x
         8boGC3Bt/DBUYK1iOaHvvCcJI9tybM3GWHYxoPgo8BNQVXXrJX2BTbA+C2R3rnJuW2Mm
         6V1kE+qde3BZ3xYgsisokO8h2fbpf1I6b21UfrCx39cmy9hUX6jukWnT9JIkihknv+D3
         PrUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768528451; x=1769133251;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=zJ49/7CuxTTj8q4vuKBqPAFR4YFcgub1l+rWesXbfXQ=;
        b=VDZjfMQDNSEr+AYCeg4U03Q/0pW8kyC8hcbPwm6MA2+Z//mHfzETi9X6NB2fYCAWdO
         bp/CWQzHvsAyAjjZyPl7rvKNPP2ZU9MpU/U3T5YlZqNzo7aRIjRSDrqj8U0aSbPHyX7o
         YnRFBvE8o67dqZFKK/M1sLTcYbpTcP17IN2Z2UD5bBgdBu/Ur2un5nlNsCCkDsn4nNnd
         oq1WRBA/OWsRze+3fZ7zazH/itM8R2ZKdPnwRG+swXbdG4UH0Mnn/Jv3pHvHpvBBAqz0
         vTF01QyYFij4LRpJZ3rXvJCMlBVM6A55da/sYZlysLo+mRehGYGUMqTOW93VQAgSfOf7
         ZxGw==
X-Forwarded-Encrypted: i=1; AJvYcCXq/knFJrj0JoQa+/NPqkJYWvtpC7bPxZd2PSuwzENgLxapT6M8Eur3SxZkxCj7u6TewZVOSTDoAXiX447K@lists.postgresql.org
X-Gm-Message-State: AOJu0Yyqe/NYSeV8IQbmGpPCqFFxBffOh/4AAzvgZ8yiN9ijo7DTKgOo
	4CK0jN7Tn+OxGtT7tvh9TDwJhXCcbGKVO/xAvpUJgHZtv7+a8BrVImO5LG0AMMuA3j4/Lw9JpiW
	bB6qPa2kGO6mcFcSrfgQJMzTzxvSpXokWm4kkbykz
X-Gm-Gg: AY/fxX4Ull9TWhQ/7NrsvkTb52bCkyzArHZCdwVqo1cfGzHKiD9jri227Is5NOfqV6t
	MuxReZCbtOgIVOIQyarQ2o9HzCV4Eio4AHy/fYNBCE4yfPGD5N8QT//wrOACXw5yIkKaOx6VguD
	nJDtOQfwATvRE2ZEorkZmI/O8kwx34kKisOa9TlzH4zSq2dkDIHc/QaFR7IMXTFUXVHvYeAbnF6
	7AuM21Mz5h0u38JTauLPtpgwZl2aIIBlZsKD+6NmSk/OjK8gHW46DPgoRYsjRvNf0pf1CzIVA==
X-Received: by 2002:a05:622a:343:b0:4ed:2ff9:b325 with SMTP id
 d75a77b69052e-502a1f75bdfmr18073651cf.59.1768528451593; Thu, 15 Jan 2026
 17:54:11 -0800 (PST)
MIME-Version: 1.0
References: <CAN4CZFM3b8u5uNNNsY6XCya257u+Dofms3su9f11iMCxvCacag@mail.gmail.com>
 <CAE2r8H55geNFtECuFunpgn0LJK2+rntGuTeqNr6mP7gGhWFRbA@mail.gmail.com>
 <CAN4CZFP_2fe2-18wUoXDZodV8suVe9o++pv=hP8KxxvWkmCx7A@mail.gmail.com>
 <CAOYmi+kMuA7t9ao6rWZ=5kn_Zmd7qtwOay_ocEBXwkzKWbefhQ@mail.gmail.com>
 <CAE2r8H439jg+e5gXJpNNMoroe4CfWauDRfUBZC_9NUNTOhqzBQ@mail.gmail.com>
 <CAN4CZFN9RMF_79kx75SkQZezd91DocUzz89bJeBJrMO=uNuG2w@mail.gmail.com>
 <CAOYmi+krPZDC8K+9z64M2EY9fELTKzLbqw8fD_wK=87YV+TBgw@mail.gmail.com>
 <CAN4CZFPvjAt+eZJd=Rxp=yXRjva8CpJ_BbnF=vQW6uXCqfrjEg@mail.gmail.com>
 <CAOYmi+nbCrvcE9wLQdNCgMwDbbi_UzGYrzfC54txmMBJ9KxO=Q@mail.gmail.com>
 <CAN4CZFNywvG59B+nBgD1_1fHE2uODBH3EcF_gwLmC7Y5U6Ru4Q@mail.gmail.com>
 <CAOYmi+=-OdzHMzqg9i8TwYvgKwE-vroj0d-9SqnRnwbz02SgTg@mail.gmail.com> <CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
In-Reply-To: <CAN4CZFPo1POb9fWMihTACFxE=xSxKEANHRkxN4YbMMN-0SML=w@mail.gmail.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Thu, 15 Jan 2026 17:54:00 -0800
X-Gm-Features: AZwV_QjjB4c2WtUHFAuq5adUmZ7DypCiMuKgmqVXMxt_ZIDYugIxrtu-DdcMagk
Message-ID: <CAOYmi+kVAiKf=WrnyzGxCmx-uu=arPE0=+Mf_AOhuTzkvCNC2w@mail.gmail.com>
Subject: Re: Custom oauth validator options
To: Zsolt Parragi <zsolt.parragi@percona.com>
Cc: VASUKI M <vasukianand0119@gmail.com>, 
	PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, david.g.johnston@gmail.com, 
	Robert Haas <robertmhaas@gmail.com>, myon@debian.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2BkVAiKf%3DWrnyzGxCmx-uu%3DarPE0%3D%2BMf_AOhuTzkvCNC2w%40mail.gmail.com>
Precedence: bulk

On Wed, Jan 14, 2026 at 10:20=E2=80=AFAM Zsolt Parragi
<zsolt.parragi@percona.com> wrote:
>
> > Well, how do you want "global" GUCs registered by the validator to
> > behave when OAuth isn't used for the connection?
>
> My assumption was that with session_preload we only validate the line
> used for the current login, not all the lines. This way we don't have
> to always include all validator/hba plugins in session_preload, for
> every login.
>
> This is what I implemented for now, but if you think it would be
> better to validate every line, I can adjust that.

Let me think about that a bit, and look over your v2 approach; my
kneejerk reaction was that this is a dangerous situation to be in. I
want to know that my HBA is invalid when I reload, not later on down
the line.

But my understanding of GUCs from session_preload_libraries also had
some wishful thinking behind it. I believed that the situation today
was stricter than it actually is:

    $ tail -2 data/postgresql.conf
    session_preload_libraries =3D auto_explain
    auto_explain.blahblahblah =3D yes

    $ psql postgres
    WARNING:  invalid configuration parameter name
"auto_explain.blahblahblah", removing it
    DETAIL:  "auto_explain" is now a reserved prefix.
    psql (18.0)
    Type "help" for help.

And it makes sense that the postmaster is not going to somehow unload
and reload those libraries during SIGHUP, just to check GUC settings.
Hrmmm...

(If we did go in this direction, I think we might want to be
punishingly strict for the first iteration of the feature. PGC_HBA
providers should prefix their settings to avoid confusion and/or
future collisions anyway, so if we don't know what the GUC is, and its
prefix doesn't match either a validator name -- which is DBA-blessed
-- or a valid session_preload_libraries item, I'm not sure we should
even wait to complain.)

> > Of those choices, this _seems_ nicest. It'd be good to get a feel for
> > how it behaves in practice though.
>
> See the attached v2, with the above comment.

Thank you!

> Other than the above question (validate everything vs the current
> line), I'm also not entirely sure if we do need PGC_HBA. It could also
> work with PGC_SIGHUP + the new PGC_S_HBA value in GucSources.

I might be misunderstanding, but wouldn't that imply that DBAs could
now put every existing SIGHUP setting into HBA? That doesn't seem
good. My hope was that some existing SIGHUP variables could be
downgraded to HBA variables (say, gss_accept_delegation or
authentication_timeout -- though there might be a chicken-and-egg
issue for the latter?), but that's going to be a short list.

--Jacob