Re: pgsql: Superuser can permit passwordless connections on postgres_fdw

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: Re: pgsql: Superuser can permit passwordless connections on postgres_fdw
Date: 2019-12-20 12:02:08
Message-ID: 20191220120208.GA4258@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

Hi Andrew,

On Fri, Dec 20, 2019 at 05:55:10AM +0000, Andrew Dunstan wrote:
> Superuser can permit passwordless connections on postgres_fdw
>
> Currently postgres_fdw doesn't permit a non-superuser to connect to a
> foreign server without specifying a password, or to use an
> authentication mechanism that doesn't use the password. This is to avoid
> using the settings and identity of the user running Postgres.
>
> However, this doesn't make sense for all authentication methods. We
> therefore allow a superuser to set "password_required 'false'" for user
> mappings for the postgres_fdw. The superuser must ensure that the
> foreign server won't try to rely solely on the server identity (e.g.
> trust, peer, ident) or use an authentication mechanism that relies on the
> password settings (e.g. md5, scram-sha-256).
>
> This feature is a prelude to better support for sslcert and sslkey
> settings in user mappings.

After this commit a couple of buildfarm animals are unhappy with the
regression tests of postgres_fdw:
CREATE ROLE nosuper NOSUPERUSER;
+WARNING: roles created by regression test cases should have names
starting with "regress_"
GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO nosuper;
It is a project policy to only user roles prefixed by "regress_" in
regression tests.

These is also a second type of failure:
-HINT: Valid options in this context are: [...] krbsrvname [...]
+HINT: Valid options in this context are: [...]
The diff here is that krbsrvname is not part of the list of valid
options. Anyway, as this list is build-dependent, I think that this
test needs some more design effort.
--
Michael

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Tom Lane 2019-12-20 19:04:37 Re: pgsql: Superuser can permit passwordless connections on postgres_fdw
Previous Message Peter Eisentraut 2019-12-20 11:30:20 pgsql: Clean up inconsistent backslash use in paths

Browse pgsql-hackers by date

  From Date Subject
Next Message ROS Didier 2019-12-20 13:01:50 problem with read-only user
Previous Message Prabhat Sahu 2019-12-20 11:46:50 Re: [HACKERS] Block level parallel vacuum