Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links
shammat@gmx.net
From: Thomas Kellerer <shammat@gmx.net>
To: pgsql-sql@lists.postgresql.org
Date: 2021-12-17T17:07:29Z
Lists: pgsql-sql
Tom Lane schrieb am 17.12.2021 um 17:27: > No, that won't help. Like postgres_fdw, dblink will only let you use > non-password auth methods if you're superuser [1][2]. The problem is > that making use of any credentials stored in the server's filesystem > amounts to impersonating the OS user that's running the server. It'd > be nice to find a less confining solution, but I'm not sure what one > would look like. > > Maybe "use server's FDW credentials" could be associated with a > grantable role? That's still an awfully coarse-grained approach > though. I thought for a moment about putting an SSL cert right > into the connection string; but you'd have to put the SSL private > key in there too, making it just as much of a security problem as > putting a password there (but about 100 times more verbose :-(). What about using a .pgpass file? We use that to hide the password for FDW connections on the SQL level. Regards Thomas