Add FATAL_CLIENT_ONLY to ereport/elog
Jacob Champion <jchampion@postgresql.org>
Author:
Jacob Champion <jchampion@postgresql.org>
Date: 2026-03-31T18:47:29Z
Releases:
19 (unreleased)
Add FATAL_CLIENT_ONLY to ereport/elog SASL exchanges must end with either an AuthenticationOk or an ErrorResponse from the server, and the standard way to produce an ErrorResponse packet is for auth_failed() to call ereport(FATAL). This means that there's no way for a SASL mechanism to suppress the server log entry if the "authentication attempt" was really just a query for authentication metadata, as is done with OAUTHBEARER. Following the example of 1f9158ba4, add a FATAL_CLIENT_ONLY elevel. This will allow ClientAuthentication() to choose not to log a particular failure, while still correctly ending the authentication exchange before process exit. (The provenance of this patch is convoluted: since it's a mechanical copy-paste of 1f9158ba4, both Zsolt Parragi and I produced nearly identical versions independently, and Andrey Borodin reviewed Zsolt's version. Tom Lane is the author of 1f9158ba4, but I don't want to imply that he's signed off on this adaptation. See Discussion.) Reviewed-by: Andrey Borodin <x4mmm@yandex-team.ru> Discussion: https://postgr.es/m/CAN4CZFPim7hUiyb7daNKQPSZ8CvQRBGkVhbvED7yZi8VktSn4Q%40mail.gmail.com
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/utils/error/elog.c | modified | +5 −2 |
| src/include/utils/elog.h | modified | +2 −1 |
Discussion
- Improve OAuth discovery logging 31 messages · 2026-02-11 → 2026-03-31