On Tue, Mar 18, 2025 at 03:38:06PM -0700, Robert Pufky wrote:
> For the 'Test: pg_hba.conf' tests, I included the wrong testing notes, they
> should be:
>
> Test 2:
> .../17/main/pg_hba.conf
> include_dir = conf.d
> include_if_exists = /tmp/pg_hba.conf
>
> Test 3:
> .../17/main/pg_hba.conf
> include_dir 'conf.d'
> include_if_exists '/tmp/pg_hba.conf'
>
> Test 4:
> .../17/main/pg_hba.conf
> include_dir conf.d
> include_if_exists /tmp/pg_hba.conf
The logic used for configuration files regarding GUCs (aka
postgresql.conf) and HBA/ident files are bound to different rules when
it comes to quotes. For the HBA/ident files, the logic is around
next_token() in hba.c. For GUC files, the logic is much smarter, see
guc-file.l. The handling of the quotes and separators is different
based on these rules, so, while we have a consistent set of grammar
keywords to use for both, you may see differences like the ones you
are reporting here.
Your confusion here is behind the use of the "=" parameter with one of
the include directives, making the HBA/ident code parsing think that
this is a connection option, but well, it's not. The documentation
does not mention that this combination is OK:
https://www.postgresql.org/docs/devel/auth-pg-hba-conf.html
https://www.postgresql.org/docs/devel/auth-username-maps.html
Perhaps you're right and we should expand this error message to
provide more details, or make the token parsing slightly smarter in
this case by feeding optional "=" separators. However, I am not
convinced that this is worth the effort just on the ground to make
HBA/ident parsing closer to the GUC parsing, because they are entirely
different facilities, and the docs clearly state that '=' is not part
of the supported grammar for the include keywords in the HBA and ident
parts. Hence, the HBA parsing generating this "invalid connection
type" error is not completely wrong, because it's telling what it sees
based on the tokens parsed.
--
Michael
