Re: SCRAM pass-through authentication for postgres_fdw
Matheus Alcantara <matheusssilv97@gmail.com>
From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>,
Jacob Champion <jacob.champion@enterprisedb.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-12-09T18:06:11Z
Lists: pgsql-hackers
Attachments
- v2-0002-postgres_fdw-Add-documentation-for-SCRAM-auth.patch (text/plain) patch v2-0002
On 04/12/24 20:05, Jelte Fennema-Nio wrote: > On Wed, 4 Dec 2024 at 23:11, Jacob Champion > <jacob.champion@enterprisedb.com> wrote: >> It makes me a little uneasy to give users a reason to copy identical >> salts/verifiers around... But for e.g. a loopback connection, it seems >> like there'd be no additional risk. Is that the target use case? > > I don't think that necessarily has to be the usecase, > clustering/sharding setups could benefit from this too. PgBouncer > supports the same functionality[1]. I only see advantages over the > alternative, which is copying the plaintext password around. In case > of compromise of the server, only the salt+verifier has to be rotated, > not the actual user password. The patch is very similar with what was implemented on PgBoucer[1] > Regarding the actual patch: This definitely needs a bunch of > documentation explaining how to use this and when not to use this. I'm attaching a patch with a initial documentation, so that we can get initial thoughts (not sure if I should put the documentation on the same patch of code changes). Thanks! [1] https://github.com/pgbouncer/pgbouncer/commit/ba1abfe#diff-128a3f9ffa6a6f3863e843089ede6d07010215acf49c66b2d1f1d9baba2f49e7R1001 -- Matheus Alcantara EDB: https://www.enterprisedb.com
Commits
-
postgres_fdw and dblink should check if backend has MyProcPort
- 762fed90bfee 18.0 landed
- 138750dde4a8 19 (unreleased) landed
-
postgres_fdw: SCRAM authentication pass-through
- 761c79508e7f 18.0 landed