From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Superuser can permit passwordless connections on postgres_fdw |
Date: | 2019-12-20 12:02:08 |
Message-ID: | 20191220120208.GA4258@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers pgsql-hackers |
Hi Andrew,
On Fri, Dec 20, 2019 at 05:55:10AM +0000, Andrew Dunstan wrote:
> Superuser can permit passwordless connections on postgres_fdw
>
> Currently postgres_fdw doesn't permit a non-superuser to connect to a
> foreign server without specifying a password, or to use an
> authentication mechanism that doesn't use the password. This is to avoid
> using the settings and identity of the user running Postgres.
>
> However, this doesn't make sense for all authentication methods. We
> therefore allow a superuser to set "password_required 'false'" for user
> mappings for the postgres_fdw. The superuser must ensure that the
> foreign server won't try to rely solely on the server identity (e.g.
> trust, peer, ident) or use an authentication mechanism that relies on the
> password settings (e.g. md5, scram-sha-256).
>
> This feature is a prelude to better support for sslcert and sslkey
> settings in user mappings.
After this commit a couple of buildfarm animals are unhappy with the
regression tests of postgres_fdw:
CREATE ROLE nosuper NOSUPERUSER;
+WARNING: roles created by regression test cases should have names
starting with "regress_"
GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO nosuper;
It is a project policy to only user roles prefixed by "regress_" in
regression tests.
These is also a second type of failure:
-HINT: Valid options in this context are: [...] krbsrvname [...]
+HINT: Valid options in this context are: [...]
The diff here is that krbsrvname is not part of the list of valid
options. Anyway, as this list is build-dependent, I think that this
test needs some more design effort.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2019-12-20 19:04:37 | Re: pgsql: Superuser can permit passwordless connections on postgres_fdw |
Previous Message | Peter Eisentraut | 2019-12-20 11:30:20 | pgsql: Clean up inconsistent backslash use in paths |
From | Date | Subject | |
---|---|---|---|
Next Message | ROS Didier | 2019-12-20 13:01:50 | problem with read-only user |
Previous Message | Prabhat Sahu | 2019-12-20 11:46:50 | Re: [HACKERS] Block level parallel vacuum |