| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | "Jonathan Gonzalez V(dot)" <jonathan(dot)abdiel(at)gmail(dot)com> |
| Cc: | Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com>, Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode |
| Date: | 2026-01-05 18:37:45 |
| Message-ID: | CAOYmi+nQawWHzC4mRhJnzZzzqjnUDg-yxN3f3ZqPX=+jpKU+zg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Dec 20, 2025 at 9:53 AM Jonathan Gonzalez V.
<jonathan(dot)abdiel(at)gmail(dot)com> wrote:
> > > > https://wiki.postgresql.org/wiki/Proposal:_Promote_PGOAUTHCAFILE_to_feature
> > >
> > > How can we work on that? because of the above it may be required to
> > > add
> > > even more possibilities.
> >
> > Not sure what you mean. I think we're working on it now, in this
> > thread?
>
> Yes, but having a list of ideas listed, that we all can read may make
> sense, that's because following the threads with all the ideas at once
> it's a big difficult some times!
See https://wiki.postgresql.org/wiki/Category:OAuth_Working_Group for
a current list of tagged [oauth] proposals. Or is that not what you're
asking about?
> In my opinion, "debug" it's not just developers, [...]
> since all the systems now days can run on hundreds
> of servers or containers, no one looks into the logs manually, you have
> automated system for it, that will read, parse, collect and distribute
> your logs into different storage, databases(even PostgreSQL database
> can be used for it) or display system. It is for theses cases that
> having something that can be parsed is always useful.
Sure, but that's not the use case for PGOAUTHDEBUG. It's fine to
develop a feature that handles production logging for client
authentication details -- it's just emphatically not what that envvar
was designed to do. This is a developer feature which turns out to be
hiding another feature that people want to use in production today.
I know the most visible aspect of PGOAUTHDEBUG=UNSAFE is the logging
spray, so that might have contributed to the confusion.
> Well, I think I was misunderstood here, when I was talking about "debug
> levels" I was talking about logs debug levels
Right, and I'm not. I guess that's the main disconnect here: I'm only
talking about enabling and disabling the features exposed by
PGOAUTHDEBUG. I don't think a debug level helps with that, which is
why I proposed a bitmap.
But that's a feature for a different thread name. I think we should
continue this one by adding an oauth_ca_file connection parameter and
documentation, including the default behavior (which defers to Curl).
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Masahiko Sawada | 2026-01-05 18:41:15 | Re: Fix incorrect buffer lock description in pg_visibility comment |
| Previous Message | Andres Freund | 2026-01-05 18:36:50 | Re: Adding NetBSD and OpenBSD to Postgres CI |