On 26th of August 2023, Michael Paquier committed patch:
Generate new LOG for "trust" connections under log_connections Adding an extra LOG for connections that have not set an authn ID, like when the "trust" authentication method is used, is useful for audit purposes. A couple of TAP tests for SSL and authentication need to be tweaked to adapt to this new LOG generated, as some scenarios expected no logs but they now get a hit. Reported-by: Shaun Thomas Author: Jacob Champion Reviewed-by: Robert Haas, Michael Paquier Discussion: https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com
So, this is cool for auditing purposes.
Previously, before this patch, we could have seen logged messages like:
2023-09-01 17:34:55.454 CEST xxx@depesz 123926 [local] LOG: connection authenticated: identity="xxx" method=scram-sha-256 (/home/pgdba/data/pg_hba.conf:116) 2023-09-01 17:36:12.245 CEST yyy@depesz 124538 [local] LOG: connection authenticated: identity="yyy" method=peer (/home/pgdba/data/pg_hba.conf:117)
but now, for connection authenticated with trust, we also see similar info:
2023-09-01 17:36:18.475 CEST depesz@depesz 124680 [local] LOG: connection authenticated: user="depesz" method=trust (/home/pgdba/data/pg_hba.conf:121)
which clearly shows that user wasn't authenticated (well, they were, but using trust, which doesn't really check anything), and that it was because of line 121 in pg_hba.conf.
Nice, thanks to all involved 🙂