On Tue, Aug 15, 2023 at 3:24 PM Michael Paquier <mich...@paquier.xyz> wrote: > The first message from Jacob outlines the idea behind the handling of > trust. We could perhaps add one extra set_authn_id() for the uaTrust > case (not uaCert!) if that's more helpful.
I'm not super comfortable with saying "connection authenticated" when it explicitly hasn't been (nor with switching the meaning of a non-NULL SYSTEM_USER from "definitely authenticated somehow" to "who knows; parse it apart to see"). But adding a log entry ("connection trusted:" or some such?) with the pointer to the HBA line that made it happen seems like a useful audit helper to me. --Jacob