Re: "cert" + clientcert=verify-ca in pg_hba.conf?

On Tue, Sep  1, 2020 at 01:59:25PM +0900, Kyotaro Horiguchi wrote:
> At Mon, 31 Aug 2020 11:34:29 -0400, Bruce Momjian <bruce@momjian.us> wrote in 
> > On Mon, Aug 31, 2020 at 05:56:58PM +0900, Kyotaro Horiguchi wrote:
> > > Ok, this is that. If we spcify clientcert=no-verify other than for
> > > "cert" authentication, server complains as the following at startup.
> > 
> > Why does clientcert=no-verify have any value, even for a
> > cert-authentication line?
> > 
> > > > LOG:  no-verify or 0 is the default setting that is discouraged to use explicitly for clientcert option
> > > > HINT:  Consider removing the option instead. This option value is going to be deprecated in later version.
> > > > CONTEXT:  line 90 of configuration file "/home/horiguti/data/data_noverify/pg_hba.conf"
> > 
> > I think it should just be removed in PG 14.  This is a configuration
> > setting, not an SQL-level item that needs a deprecation period.
> 
> Ok, it is changed to just error out. I tempted to show a suggestion to
> removing the option in that case like the following, but *didn't* in
> this version of the patch.

OK, I have developed the attached patch based on yours.  I reordered the
tests, simplified the documentation, and removed the hint since they
will already get a good error message, and we will document this change
in the release notes.  It is also good you removed the 0/1 values for
this, since that was also confusing.  We will put that removal in the
release notes too.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee