On Tue, Aug 15, 2023 at 03:39:10PM -0700, Jacob Champion wrote:
> I'm not super comfortable with saying "connection authenticated" when
> it explicitly hasn't been (nor with switching the meaning of a
> non-NULL SYSTEM_USER from "definitely authenticated somehow" to "who
> knows; parse it apart to see"). But adding a log entry ("connection
> trusted:" or some such?) with the pointer to the HBA line that made it
> happen seems like a useful audit helper to me.Yeah, thanks for confirming. That's also the impression I get after reading again the original thread and the idea of how this code path is handled in this commit. We could do something like a LOG "connection: method=%s user=%s (%s:%d)", without the "authenticated" and "identity" terms from set_authn_id(). Just to drop an idea. -- Michael
signature.asc
Description: PGP signature
