Thread

  1. Re: postgres_fdw: use_scram_passthrough on user mapping is ignored when also set on server

    Matheus Alcantara <matheusssilv97@gmail.com> — 2026-05-23T16:46:48Z

    On 22/05/26 22:58, Fujii Masao wrote:
    > On Mon, May 18, 2026 at 11:42 PM Matheus Alcantara
    > <matheusssilv97@gmail.com> wrote:
    >> I think that the test is worth to have to avoid such issues in the
    >> future again, but I agree that adding as a TAP test is overkill. I've
    >> moved to sql/dblink.sql on the new attached version.
    >>
    >> Do you think that we need to add such test for postgres_fdw too?
    > 
    > No, I don't think so.
    > 
    > In dblink, use_scram_passthrough is handled by a dblink-specific validation
    > path, and patch 0003 fixes that specific code path. So it might be worth
    > adding such test for dblink.
    > 
    > In postgres_fdw, however, this option is handled by the generic option/context
    > validation machinery, not by any special-case code. We already have tests for
    > context-sensitive option validation there. So adding such test for postgres_fdw
    > would be mostly redundant, I think. Thought?
    > 
    
    Agree, it make sense.
    
    >> Yeah, we don't have any documentation about this on 18, but we do have
    >> for sslkey and sslcert where in postgres-fdw.sgml we have the following:
    >>      sslkey and sslcert - these may appear in either or both a connection
    >>      and a user mapping. If both are present, the user mapping setting
    >>      overrides the connection setting.
    >>
    >> So I think that is desirable to have the same behavior for
    >> use_scram_passthrough.
    > 
    > Agreed. I'm therefore thinking of backpatching patches 0001 and 0002 to v18.
    > 
    > Even in v18, this change is very narrow. It only affects cases where
    > use_scram_passthrough is specified at both the server and user-mapping levels
    > with conflicting values. In such cases, the natural interpretation is that
    > the user-mapping setting is intended to override the server-level setting;
    > otherwise, there would be little reason to specify conflicting values.
    > 
    > Given the limited impact, leaving v18 as the only branch with different
    > semantics for a feature introduced in v18 seems more undesirable and
    > potentially confusing. So I think backpatching to v18 makes sense.
    > 
    +1
    
    Thank you for finding the issue and reviewing the patch.
    
    --
    Matheus Alcantara
    EDB: https://www.enterprisedb.com