Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jonathan Katz <jonathan.katz@excoventures.com>
Cc: aditya desai <admad123@gmail.com>, pgsql-sql <pgsql-sql@lists.postgresql.org>
Date: 2021-12-17T17:04:33Z
Lists: pgsql-sql
Jonathan Katz <jonathan.katz@excoventures.com> writes:
>> On Dec 17, 2021, at 11:27 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> The problem is
>> that making use of any credentials stored in the server's filesystem
>> amounts to impersonating the OS user that's running the server.  It'd
>> be nice to find a less confining solution, but I'm not sure what one
>> would look like.

> Even stepping back and just looking at what prompted the question,
> i.e. “hardcoding the username/password”, if there was a way we could
> allow for the injection of the credentials when we’re trying to establish
> the connection, that may be one way forward, but I see that also
> opening up a bunch more problems we would need to consider.

One approach that's available now is to have dblink use a foreign
server/foreign user mapping definition.  Then the secret is stored
in pg_user_mapping rather than in the SQL text, which is an
improvement anyway.  (If you want to complain about that, you have
to be a little more specific about what your threat model is.
Somebody who can peek into pg_user_mapping can probably get hold
of credentials in the server's filesystem, too.)

			regards, tom lane