Re: Can the current session be notified and refreshed with a new credentials context?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: AC Gomez <antklc(at)gmail(dot)com>
Cc: PostgreSQL General <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: Can the current session be notified and refreshed with a new credentials context?
Date: 2020-06-22 22:08:37
Message-ID: 2094136.1592863717@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

AC Gomez <antklc(at)gmail(dot)com> writes:
> Suppose you have the following scenario:
> 1: Call some function with a certain user and password
> 2: From inside that function, have several calls using DBLink
> 3: At some point during the running of that function a password rotation(a
> separate process) comes along and updates the session user password and the
> User Mappings with this new rotated password
> 4: Now there is a discrepancy between the password used when the session
> started and the password in the User Mappings
> 5: The result is that on the next DBLink call the main function will fail
> because the session is still running with the old password but we have
> changed the User Mappings.

> We have proven this by separating out every DBLINK call as its own new
> session and running password rotation in between dblink calls. Then things
> will work.

If you hold the original dblink session open throughout the function,
password changes after that session is opened won't matter. Why are you
opening new sessions? It's inefficient as well as introducing unnecessary
chances for failure.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message AC Gomez 2020-06-22 22:25:09 Re: Can the current session be notified and refreshed with a new credentials context?
Previous Message David G. Johnston 2020-06-22 22:04:42 Re: scram-sha-256 encrypted password in pgpass