pgwire: new methods in HBA config break mixed-version clusters

[knz]

If a user installs a gss HBA rule in a cluster using a license, then it is not possible any more to run the cluster using a pure OSS binary because the gss method is not present in the OSS binary.

Also, suppose we implement a new auth method foo in 20.1.
Then I am in the process of ugprading a 19.2 cluster, and I have both 19.2 and 20.1 nodes.

If I add a new rule host all all all foo in my hba.conf in 20.1, the following will happen:

• the conf change will be accepted by the 20.1 node.
• all the 19.2 nodes will load the conf then start to reject all client connections because it does not know how to interpret the new auth method.

The fix is simple: assume in the auth code in 19.2 that unknown configs come from future versions.

cc @mjibson

[aaron-crl]

I'm currently thinking about how to support reduced authentication versions (like a hypothetical FIPS build) and I'd much rather see this behavior be explicitly stated and handled rather than implied.

[knz]

Closing this - we're operating with version checks now (i.e. can't use a new feature until all nodes recognize it).

If a cluster uses a CCL feature (e.g. gss) and the binary is "downgraded" to OSS-only, they get a clean error. From that point they can get back to CCL, change the setting, then come back to OSS-only.