Re: dblink: Add SCRAM pass-through authentication
Matheus Alcantara <matheusssilv97@gmail.com>
From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Peter Eisentraut <peter@eisentraut.org>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-21T15:32:24Z
Lists: pgsql-hackers
Attachments
- v10-0001-dblink-refactor-get-connection-routines.patch (application/octet-stream) patch v10-0001
- v10-0002-dblink-Add-SCRAM-pass-through-authentication.patch (application/octet-stream) patch v10-0002
- v10-0003-postgres_fdw-improve-security-checks.patch (application/octet-stream) patch v10-0003
On Thu, Mar 20, 2025 at 9:02 PM Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > On Thu, Mar 20, 2025 at 12:54 PM Matheus Alcantara > <matheusssilv97@gmail.com> wrote: > > Since the security checks are defined I'm attaching 0003 which include > > the fix of security checks for postgres_fdw. It implements the > > validations very similar to what are being implemented on dblink. > > Comments on 0003: > > > + keywords[n] = "require_auth"; > > + values[n] = "scram-sha-256"; > > + n++; > > The keywords and values arrays need to be lengthened for this. Fixed. I've also changed the code comment to mention the scram keys and required options. > > host all all $hostaddr/32 scram-sha-256 > > - }); > > + } > > + ); > > Accidental diff? Yep, sorry, I made some confusion with dblink formatting. Removed > A few whitespace and comment tweaks are attached as well. Squashed > -- > > > > I think they should just be reduced to "The remote server must request > > > SCRAM authentication." and "The user mapping password is not used." > > > > I've removed the "user mapping password" <listitem> because we already > > mentioned above that the password is not used and having just "The user > > mapping password is not used." again seems redundant, what do you think? > > Personally, I think it's still useful to call out that the password in > the user mapping is explicitly ignored. The other text motivates the > feature, but it doesn't explain how it interacts with existing user > mappings (most of which will have passwords). Fair point. I've changed it to just "The user mapping password is not used". -- Matheus Alcantara
Commits
-
dblink: SCRAM authentication pass-through
- 3642df265d09 18.0 landed
-
postgres_fdw: improve security checks
- 76563f88cfbd 18.0 landed