Re: dblink: Add SCRAM pass-through authentication

Matheus Alcantara <matheusssilv97@gmail.com>

From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Peter Eisentraut <peter@eisentraut.org>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-03-21T15:32:24Z
Lists: pgsql-hackers

Attachments

On Thu, Mar 20, 2025 at 9:02 PM Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
>
> On Thu, Mar 20, 2025 at 12:54 PM Matheus Alcantara
> <matheusssilv97@gmail.com> wrote:
> > Since the security checks are defined I'm attaching 0003 which include
> > the fix of security checks for postgres_fdw. It implements the
> > validations very similar to what are being implemented on dblink.
>
> Comments on 0003:
>
> > +           keywords[n] = "require_auth";
> > +           values[n] = "scram-sha-256";
> > +           n++;
>
> The keywords and values arrays need to be lengthened for this.

Fixed. I've also changed the code comment to mention the scram keys and
required options.


> >     host    all             all             $hostaddr/32            scram-sha-256
> > -   });
> > +   }
> > +   );
>
> Accidental diff?

Yep, sorry, I made some confusion with dblink formatting. Removed

> A few whitespace and comment tweaks are attached as well.

Squashed

> --
>
> > > I think they should just be reduced to "The remote server must request
> > > SCRAM authentication." and "The user mapping password is not used."
> >
> > I've removed the "user mapping password" <listitem> because we already
> > mentioned above that the password is not used and having just "The user
> > mapping password is not used." again seems redundant, what do you think?
>
> Personally, I think it's still useful to call out that the password in
> the user mapping is explicitly ignored. The other text motivates the
> feature, but it doesn't explain how it interacts with existing user
> mappings (most of which will have passwords).

Fair point. I've changed it to just "The user mapping password is not
used".

-- 
Matheus Alcantara

Commits

  1. dblink: SCRAM authentication pass-through

  2. postgres_fdw: improve security checks