From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Jonathan Katz <jonathan(dot)katz(at)excoventures(dot)com> |
Cc: | aditya desai <admad123(at)gmail(dot)com>, pgsql-sql <pgsql-sql(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |
Date: | 2021-12-17 16:27:30 |
Message-ID: | 1355149.1639758450@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
Jonathan Katz <jonathan(dot)katz(at)excoventures(dot)com> writes:
>> On Dec 17, 2021, at 10:43 AM, aditya desai <admad123(at)gmail(dot)com> wrote:
>> How to use certificate based authentication in DB Links instead of hardcoding user name and password in it?
> dblink lets you pass in a PostgreSQL connection string[1].
> From there you can reference parameters to use certificates[2].
No, that won't help. Like postgres_fdw, dblink will only let you use
non-password auth methods if you're superuser [1][2]. The problem is
that making use of any credentials stored in the server's filesystem
amounts to impersonating the OS user that's running the server. It'd
be nice to find a less confining solution, but I'm not sure what one
would look like.
Maybe "use server's FDW credentials" could be associated with a
grantable role? That's still an awfully coarse-grained approach
though. I thought for a moment about putting an SSL cert right
into the connection string; but you'd have to put the SSL private
key in there too, making it just as much of a security problem as
putting a password there (but about 100 times more verbose :-().
regards, tom lane
[1] https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=contrib/dblink/dblink.c;h=d73c616f4f240cf5f33294e61053765375a5bea6;hb=HEAD#l2669
[2] https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=contrib/dblink/dblink.c;h=d73c616f4f240cf5f33294e61053765375a5bea6;hb=HEAD#l2690
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan Katz | 2021-12-17 16:42:32 | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |
Previous Message | Jonathan Katz | 2021-12-17 16:11:55 | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |