From 7cdb292b37f25bed59de3c64bfbd91f0e2be81a3 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 10 Apr 2025 13:49:18 +0000
Subject: [PATCH] Add pg_tenant_only_auth_public_key_path check to safekeeper
 authentication

Co-Authored-By: John Spray <john@neon.tech>
---
 safekeeper/src/bin/safekeeper.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/safekeeper/src/bin/safekeeper.rs b/safekeeper/src/bin/safekeeper.rs
index fb8f7b0c48..52286896e5 100644
--- a/safekeeper/src/bin/safekeeper.rs
+++ b/safekeeper/src/bin/safekeeper.rs
@@ -349,9 +349,10 @@ async fn main() -> anyhow::Result<()> {
     if !args.dev {
         let http_auth_enabled = args.http_auth_public_key_path.is_some();
         let pg_auth_enabled = args.pg_auth_public_key_path.is_some();
-        if !http_auth_enabled || !pg_auth_enabled {
+        let pg_tenant_only_auth_enabled = args.pg_tenant_only_auth_public_key_path.is_some();
+        if !http_auth_enabled || !pg_auth_enabled || !pg_tenant_only_auth_enabled {
             bail!(
-                "Safekeeper refuses to start with HTTP or PostgreSQL API authentication disabled.\n\
+                "Safekeeper refuses to start with HTTP, PostgreSQL, or tenant-only PostgreSQL API authentication disabled.\n\
                   Run with --dev to allow running without authentication.\n\
                   This is insecure and should only be used in development environments."
             );