diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 55694c4368..add25b2b43 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -8953,8 +8953,8 @@ SCRAM-SHA-256$<iteration count>:&l
text
Host name or IP address, or one
- of all, samehost,
- or samenet, or null for local connections
+ of &all, &samehost,
+ or &samenet, or null for local connections
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5f1eec78fb..96fc4b01e9 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -81,11 +81,26 @@
A record is made
up of a number of fields which are separated by spaces and/or tabs.
Fields can contain white space if the field value is double-quoted.
- Quoting one of the keywords in a database, user, or address field (e.g.,
- all or replication) makes the word lose its special
- meaning, and just match a database, user, or host with that name.
+
+
+ As of version 13, keywords are preceded by the character "&".
+ For compatibility, the following legacy keywords are still accepted
+ on their own:
+ all, replication,
+ samegroup, samehost,
+ samenet, samerole,
+ sameuser.
+
+
+
+ Quoting one of these legacy keywords in a database, user, or address
+ field makes the word lose its special meaning, and just match a
+ database, user, or host with that name.
+
+
+
Each record specifies a connection type, a client IP address range
(if relevant for the connection type), a database name, a user name,
@@ -221,18 +236,18 @@ hostnogssenc database user
Specifies which database name(s) this record matches. The value
- all specifies that it matches all databases.
- The value sameuser specifies that the record
+ &all specifies that it matches all databases.
+ The value &sameuser specifies that the record
matches if the requested database has the same name as the
- requested user. The value samerole specifies that
+ requested user. The value &samerole specifies that
the requested user must be a member of the role with the same
- name as the requested database. (samegroup is an
- obsolete but still accepted spelling of samerole.)
+ name as the requested database. (&samegroup is an
+ obsolete but still accepted spelling of &samerole.)
Superusers are not considered to be members of a role for the
- purposes of samerole unless they are explicitly
+ purposes of &samerole unless they are explicitly
members of the role, directly or indirectly, and not just by
virtue of being a superuser.
- The value replication specifies that the record
+ The value &replication specifies that the record
matches if a physical replication connection is requested (note that
replication connections do not specify any particular database).
Otherwise, this is the name of
@@ -249,7 +264,7 @@ hostnogssenc database user
Specifies which database user name(s) this record
- matches. The value all specifies that it
+ matches. The value &all specifies that it
matches all users. Otherwise, this is either the name of a specific
database user, or a group name preceded by +.
(Recall that there is no real distinction between users and groups
@@ -312,9 +327,9 @@ hostnogssenc database user
- You can also write all to match any IP address,
- samehost to match any of the server's own IP
- addresses, or samenet to match any address in any
+ You can also write &all to match any IP address,
+ &samehost to match any of the server's own IP
+ addresses, or &samenet to match any address in any
subnet that the server is directly connected to.
@@ -699,40 +714,40 @@ hostnogssenc database user
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index b6de92783a..da18c389e5 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -64,8 +64,20 @@ typedef struct check_network_data
bool result; /* set to true if match */
} check_network_data;
+/*
+ * The following keywords are accepted without the keyword sigil for legacy
+ * reasons. They may become normal words at some point in the future.
+ */
+#define token_is_legacy_keyword(t, k) (!t->quoted && ( \
+ strcmp(t->string, "all") == 0 || \
+ strcmp(t->string, "replication") == 0 || \
+ strcmp(t->string, "samegroup") == 0 || \
+ strcmp(t->string, "samehost") == 0 || \
+ strcmp(t->string, "samenet") == 0 || \
+ strcmp(t->string, "samerole") == 0 || \
+ strcmp(t->string, "sameuser") == 0))
-#define token_is_keyword(t, k) (!t->quoted && strcmp(t->string, k) == 0)
+#define token_is_keyword(t, k) ((t->string[0] == '&' && strcmp(t->string+1, k) == 0) || token_is_legacy_keyword(t, k))
#define token_matches(t, k) (strcmp(t->string, k) == 0)
/*
@@ -2472,7 +2484,7 @@ fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
* Flatten HbaToken list to string list. It might seem that we
* should re-quote any quoted tokens, but that has been rejected
* on the grounds that it makes it harder to compare the array
- * elements to other system catalogs. That makes entries like
+ * elements to other system catalogs. That makes entries with legacy keywords like
* "all" or "samerole" formally ambiguous ... but users who name
* databases/roles that way are inflicting their own pain.
*/
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index c853e36232..d08aba497f 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -21,12 +21,12 @@
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
-# DATABASE can be "all", "sameuser", "samerole", "replication", a
-# database name, or a comma-separated list thereof. The "all"
-# keyword does not match "replication". Access to replication
+# DATABASE can be &all, &sameuser, &samerole, &replication, a
+# database name, or a comma-separated list thereof. The &all
+# keyword does not match &replication. Access to replication
# must be enabled in a separate record (see example below).
#
-# USER can be "all", a user name, a group name prefixed with "+", or a
+# USER can be &all, a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
@@ -53,11 +53,18 @@
# section in the documentation for a list of which options are
# available for which authentication methods.
#
+# As of version 13, keywords are preceded by the character "&".
+# For compatibility, the following legacy keywords are still accepted on
+# their own:
+# all,
+# replication,
+# sameuser, samegroup, samerole,
+# samehost, samenet
+#
# Database and user names containing spaces, commas, quotes and other
-# special characters must be quoted. Quoting one of the keywords
-# "all", "sameuser", "samerole" or "replication" makes the name lose
-# its special character, and just match a database or username with
-# that name.
+# special characters must be quoted. Quoting one of the legacy keywords
+# from the previous paragraph makes the name lose its special character,
+# and just match a database or username with that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
@@ -77,13 +84,13 @@
# TYPE DATABASE USER ADDRESS METHOD
@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
-@remove-line-for-nolocal@local all all @authmethodlocal@
+@remove-line-for-nolocal@local &all &all @authmethodlocal@
# IPv4 local connections:
-host all all 127.0.0.1/32 @authmethodhost@
+host &all &all 127.0.0.1/32 @authmethodhost@
# IPv6 local connections:
-host all all ::1/128 @authmethodhost@
+host &all &all ::1/128 @authmethodhost@
# Allow replication connections from localhost, by a user with the
# replication privilege.
-@remove-line-for-nolocal@local replication all @authmethodlocal@
-host replication all 127.0.0.1/32 @authmethodhost@
-host replication all ::1/128 @authmethodhost@
+@remove-line-for-nolocal@local &replication &all @authmethodlocal@
+host &replication &all 127.0.0.1/32 @authmethodhost@
+host &replication &all ::1/128 @authmethodhost@