Re: pgsql: Superuser can permit passwordless connections on postgres_fdw
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: pgsql-committers@lists.postgresql.org
Date: 2019-12-20T12:02:08Z
Lists: pgsql-hackers
Hi Andrew, On Fri, Dec 20, 2019 at 05:55:10AM +0000, Andrew Dunstan wrote: > Superuser can permit passwordless connections on postgres_fdw > > Currently postgres_fdw doesn't permit a non-superuser to connect to a > foreign server without specifying a password, or to use an > authentication mechanism that doesn't use the password. This is to avoid > using the settings and identity of the user running Postgres. > > However, this doesn't make sense for all authentication methods. We > therefore allow a superuser to set "password_required 'false'" for user > mappings for the postgres_fdw. The superuser must ensure that the > foreign server won't try to rely solely on the server identity (e.g. > trust, peer, ident) or use an authentication mechanism that relies on the > password settings (e.g. md5, scram-sha-256). > > This feature is a prelude to better support for sslcert and sslkey > settings in user mappings. After this commit a couple of buildfarm animals are unhappy with the regression tests of postgres_fdw: CREATE ROLE nosuper NOSUPERUSER; +WARNING: roles created by regression test cases should have names starting with "regress_" GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO nosuper; It is a project policy to only user roles prefixed by "regress_" in regression tests. These is also a second type of failure: -HINT: Valid options in this context are: [...] krbsrvname [...] +HINT: Valid options in this context are: [...] The diff here is that krbsrvname is not part of the list of valid options. Anyway, as this list is build-dependent, I think that this test needs some more design effort. -- Michael
Commits
-
Adjust test case added by commit 6136e94dc.
- 0af0504da91e 13.0 landed
-
libpq should expose GSS-related parameters even when not implemented.
- d09cfa3e2874 10.12 landed
- c11bd6c10fe5 9.6.17 landed
- 875c7d70def6 9.4.26 landed
- 5e22a111185c 9.5.21 landed
- 1a77ea02dca5 11.7 landed
- e8f60e6fe206 12.2 landed
- e60b480d39ee 13.0 landed
-
Superuser can permit passwordless connections on postgres_fdw
- 6136e94dcb88 13.0 cited