Re: pg_authid.rolpassword format (was Re: Password identifiers, protocol aging and SCRAM protocol)
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Michael Paquier <michael.paquier@gmail.com>, Robert Haas <robertmhaas@gmail.com>, Andres Freund <andres@anarazel.de>, David Steele <david@pgmasters.net>, Tom Lane <tgl@sss.pgh.pa.us>, David Fetter <david@fetter.org>, Alvaro Herrera <alvherre@2ndquadrant.com>, Magnus Hagander <magnus@hagander.net>, Julian Markwort <julian.markwort@uni-muenster.de>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>, Valery Popov <v.popov@postgrespro.ru>
Date: 2016-12-15T13:40:30Z
Lists: pgsql-hackers
* Heikki Linnakangas (hlinnaka@iki.fi) wrote: > On 12/14/2016 04:57 PM, Stephen Frost wrote: > >* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote: > >>On 12/14/16 5:15 AM, Michael Paquier wrote: > >>>I would be tempted to suggest adding the verifier type as a new column > >>>of pg_authid > >> > >>Yes please. > > > >This discussion seems to continue to come up and I don't entirely > >understand why we keep trying to shove more things into pg_authid, or > >worse, into rolpassword. > > I understand the relational beauty of having a separate column for > the verifier type, but I don't think it would be practical. I disagree. > For > starters, we'd still like to have a self-identifying string format > like "scram-sha-256:<stuff>", so that you can conveniently pass the > verifier as a string to CREATE USER. I don't follow why we can't change the syntax for CREATE USER to allow specifying the verifier type independently. Generally speaking, I don't expect *users* to be providing actual encoded *verifiers* very often, so it seems like a bit of extra syntax that pg_dump has to use isn't that big of a deal. > I think it'll be much better to > stick to one format, than try to split the verifier into type and > the string, when it enters the catalog table. Apparently, multiple people disagree with this approach. I don't think history is really on your side here either. > >We should have an independent table for the verifiers, which has a > >different column for the verifier type, and either starts off supporting > >multiple verifiers per role or at least gives us the ability to add that > >easily later. We should also move rolvaliduntil to that new table. > > I agree we'll probably need a new table for verifiers. Or turn > rolpassword into an array or something. We discussed that before, > however, and it didn't really go anywhere, so right now I'd like to > get SCRAM in with minimal changes to the rest of the system. There > is a lot of room for improvement once it's in. Using an array strikes me as an absolutely terrible idea- how are you going to handle having different valid_until times then? I do agree with trying to get SCRAM in without changing too much of the rest of the system, but I wanted to make it clear that it's the only point that I agree with for continuing down this path and that we should absolutely be looking to change the CREATE USER syntax to specify the verifier independently, plan to use a different table for the verifiers with an independent column for the verifier type, support multiple verifiers per role, etc, in the (hopefully very near...) future. Thanks! Stephen
Commits
-
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
- 818fd4a67d61 10.0 landed
-
Refactor SHA2 functions and move them to src/common/.
- 273c458a2b3a 10.0 landed
-
Replace isMD5() with a more future-proof way to check if pw is encrypted.
- dbd69118c05d 10.0 landed
-
Remove bogus notice that older clients might not work with MD5 passwords.
- 7e3ae5455948 9.2.20 landed
- 470af1f41c8b 9.3.16 landed
- ada2cdb61015 9.4.11 landed
- 65a7f190b253 9.5.6 landed
- 7546c135dc30 9.6.2 landed
- 31c54096a18f 10.0 landed
-
Refactor the code for verifying user's password.
- e7f051b8f9a6 10.0 landed
-
Replace PostmasterRandom() with a stronger source, second attempt.
- fe0a0b5993df 10.0 landed
-
Remove support for (insecure) crypt authentication.
- 53a5026b5cb3 8.4.0 cited