Re: postgres_fdw: use_scram_passthrough on user mapping is ignored when also set on server

Matheus Alcantara <matheusssilv97@gmail.com>

From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Fujii Masao <masao.fujii@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-05-23T16:46:48Z
Lists: pgsql-hackers
On 22/05/26 22:58, Fujii Masao wrote:
> On Mon, May 18, 2026 at 11:42 PM Matheus Alcantara
> <matheusssilv97@gmail.com> wrote:
>> I think that the test is worth to have to avoid such issues in the
>> future again, but I agree that adding as a TAP test is overkill. I've
>> moved to sql/dblink.sql on the new attached version.
>>
>> Do you think that we need to add such test for postgres_fdw too?
> 
> No, I don't think so.
> 
> In dblink, use_scram_passthrough is handled by a dblink-specific validation
> path, and patch 0003 fixes that specific code path. So it might be worth
> adding such test for dblink.
> 
> In postgres_fdw, however, this option is handled by the generic option/context
> validation machinery, not by any special-case code. We already have tests for
> context-sensitive option validation there. So adding such test for postgres_fdw
> would be mostly redundant, I think. Thought?
> 

Agree, it make sense.

>> Yeah, we don't have any documentation about this on 18, but we do have
>> for sslkey and sslcert where in postgres-fdw.sgml we have the following:
>>      sslkey and sslcert - these may appear in either or both a connection
>>      and a user mapping. If both are present, the user mapping setting
>>      overrides the connection setting.
>>
>> So I think that is desirable to have the same behavior for
>> use_scram_passthrough.
> 
> Agreed. I'm therefore thinking of backpatching patches 0001 and 0002 to v18.
> 
> Even in v18, this change is very narrow. It only affects cases where
> use_scram_passthrough is specified at both the server and user-mapping levels
> with conflicting values. In such cases, the natural interpretation is that
> the user-mapping setting is intended to override the server-level setting;
> otherwise, there would be little reason to specify conflicting values.
> 
> Given the limited impact, leaving v18 as the only branch with different
> semantics for a feature introduced in v18 seems more undesirable and
> potentially confusing. So I think backpatching to v18 makes sense.
> 
+1

Thank you for finding the issue and reviewing the patch.

--
Matheus Alcantara
EDB: https://www.enterprisedb.com