feat: add identity user parameter and use that for mtls

[levkk]

[[users]]
identity = "pgdog.dev"
user = "prod"
database = "prod"
server_auth = "rds_iam"

Instead of matching on user, match on identity, allowing multiple users with the same identity.

[codecov]

Codecov Report

❌ Patch coverage is 23.52941% with 13 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pgdog/src/backend/databases.rs	0.00%	5 Missing ⚠️
pgdog-config/src/users.rs	20.00%	4 Missing ⚠️
pgdog/src/backend/pool/cluster.rs	50.00%	3 Missing ⚠️
pgdog/src/frontend/client/mod.rs	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[sgrif]

Minor nits

[sgrif]

This and the line below feel related enough to justify encapsulating in a method

[levkk]

Yes. I don't even know if it's right though yet, I just added this to make the warning go away. Need to 🤔 🤔 🤔 🤔 🤔

[sgrif]

Can't figure out how to do a multi line selection on mobile but I'd write this as self.databases.get(&user.to_user()).and_then(|cluster| cluster.identity())

[sgrif]

Why are we cloning this only to immediately go back to a reference on the next line?

[levkk]

It's coming from a global ArcSwap and we don't want to keep a reference to that while we check because of its fast path/slow path optimization that scares me.

[levkk]

Also because borrow checker said so

[blacksmith-sh]

Found 1 test failure on Blacksmith runners:

Failure

Test	View Logs
TestReloadWithAutoRole	View Logs

[sgrif]

Also feels like code that justifies a unit test imo

…

On Thu, May 21, 2026, 4:36 PM blacksmith-sh[bot] ***@***.***> wrote: *blacksmith-sh[bot]* left a comment (pgdogdev/pgdog#996) <#996 (comment)> Found 1 test failure on Blacksmith runners: Failure Test View Logs lb_tests/TestReloadWithAutoRole View Logs <https://app.blacksmith.sh/pgdogdev/runs/26256756337/jobs/77281644284?attempt=1&ref=gh_comment&autoLogin=true&tab=tests&status=failed#test=14b000e6-7844-4768-a48a-f10072eacbf2> [image: Fix in Cursor] <https://backend.blacksmith.sh/track/cursor?cursor_url=cursor%3A%2F%2Fanysphere.cursor-deeplink%2Fprompt%3Ftext%3DFix%2Bthese%2Bfailing%2Btests%253A%250A%250A1.%2Blb_tests%252FTestReloadWithAutoRole%250A&expires=1781994945&installation=pgdogdev&job_id=77281644284&run_id=26256756337&test_count=1&signature=11824c54c12dae273163235a826dce285036cede0cd4d0bd56fb223371524eb2> — Reply to this email directly, view it on GitHub <#996 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALVMK4EXGVC2I57GPWHNZD436AFPAVCNFSM6AAAAACZILLK2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMJTGMYTENBXGA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because your review was requested.Message ID: ***@***.***>

[levkk]

Also feels like code that justifies a unit test imo

If I can figure out how to write one for this. TLS is ...like the worst.