Re: SCRAM pass-through authentication for postgres_fdw
Matheus Alcantara <matheusssilv97@gmail.com>
From: "Matheus Alcantara" <matheusssilv97@gmail.com>
To: "Peter Eisentraut" <peter@eisentraut.org>, "Alexander Pyhalov"
<a.pyhalov@postgrespro.ru>
Cc: "PostgreSQL Hackers" <pgsql-hackers@lists.postgresql.org>, "Jacob
Champion" <jacob.champion@enterprisedb.com>
Date: 2025-08-11T20:43:07Z
Lists: pgsql-hackers
Attachments
- v2-0001-docs-add-note-of-fdw-connections-using-SCRAM.patch (text/plain) patch v2-0001
On Fri Aug 8, 2025 at 3:31 PM -03, Peter Eisentraut wrote: >> I've also made some tests by using the use_scram_passthrough option on >> foreign server and if a bgworker try to use a foreign table that has >> this option associated with the foreign server the connection will fail >> because we don't have the MyProcPort and the password. To make it work >> the password is required on USER MAPPING options. I think that this >> limitation should be documented, see patch attached. > > The fact that SCRAM pass-through doesn't work in a background worker is > arguably implied by the existing paragraph that says that you need to > use SCRAM on the client side. But I think there is opportunity to > clarify that further. The documentation currently doesn't say what > happens if the client doesn't use SCRAM. The code then just ignores the > use_scram_passthrough setting, and your documentation proposal also > suggests that it would fall back to the password provided in the user > mapping. But this could be documented more explicitly, I think. > I agree, thanks for the comments! What do you think about the following? + <para> + If the incoming connection to the FDW instance does not use SCRAM, + <literal>use_scram_passthrough</literal> is ignored and authentication + will instead use the password from the user mapping, if one is provided. + </para> -- Matheus Alcantara
Commits
-
postgres_fdw and dblink should check if backend has MyProcPort
- 762fed90bfee 18.0 landed
- 138750dde4a8 19 (unreleased) landed
-
postgres_fdw: SCRAM authentication pass-through
- 761c79508e7f 18.0 landed