| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | AC Gomez <antklc(at)gmail(dot)com> |
| Cc: | PostgreSQL General <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Can the current session be notified and refreshed with a new credentials context? |
| Date: | 2020-06-22 22:08:37 |
| Message-ID: | 2094136.1592863717@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
AC Gomez <antklc(at)gmail(dot)com> writes:
> Suppose you have the following scenario:
> 1: Call some function with a certain user and password
> 2: From inside that function, have several calls using DBLink
> 3: At some point during the running of that function a password rotation(a
> separate process) comes along and updates the session user password and the
> User Mappings with this new rotated password
> 4: Now there is a discrepancy between the password used when the session
> started and the password in the User Mappings
> 5: The result is that on the next DBLink call the main function will fail
> because the session is still running with the old password but we have
> changed the User Mappings.
> We have proven this by separating out every DBLINK call as its own new
> session and running password rotation in between dblink calls. Then things
> will work.
If you hold the original dblink session open throughout the function,
password changes after that session is opened won't matter. Why are you
opening new sessions? It's inefficient as well as introducing unnecessary
chances for failure.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | AC Gomez | 2020-06-22 22:25:09 | Re: Can the current session be notified and refreshed with a new credentials context? |
| Previous Message | David G. Johnston | 2020-06-22 22:04:42 | Re: scram-sha-256 encrypted password in pgpass |